The steps order is a little bit weird. It should be in this order:
- Create user account in AD
- Let user to login to web enrollment portal using AD account credentials
- Enroll for user certificate (or other user template that builds subject automatically and include Client Authentication, for example User template)
The most important is step 3: when you use template that builds subject from AD and include user UPN in SAN extension, then your step 3 is unnecessary, because client certificate is bound to a user account implicitly via UPN match.