Thank you for reaching out and Welcome to the Microsoft Q&A forum.
Our initial research on both Front Door and Application Gateway suggests they don't support passing the original certificate to backend Web Apps.
Your understanding here is correct, it will be helpful if you could create a feedback item regarding this request on the Azure Feedback portal for Application gateway and upvote this similar request for Azure Front Door.
Alternatively, Azure Application Gateway supports MTLS where you can upload a trusted client CA certificate(s) to the Application Gateway, and the gateway will use that certificate to authenticate the client sending a request to the gateway. Any information about the client certificate can be passed using these server variables. Although in your case above you will have to modify the backend code to use this feature.
Can you please advice on what options do we have?
As mentioned by AndreasBaumgarten above Azure Load balancer operates at layer-4 and supports SSL/TLS pass through as it never interacts with Layer 7 traffic.
Another service I could think of is Azure API management, as it allows you to secure access to the backend service of an API using client certificates. Azure API Management can be deployed inside an Azure virtual network (VNet) to access backend services within the network. You can go through the features list of APIM and see if this service satisfies your requirements.
Hope this helps! Please let me know if you have any additional questions. Thank you!