Hi @Upasana Ghosh Thanks for reaching out. To log a call with failed authentication you can use trace policy. The trace policy adds a custom trace into the API Inspector output, Application Insights telemetries, and/or Resource Logs. please refer: https://learn.microsoft.com/en-us/azure/api-management/api-management-advanced-policies#Trace
OAuth 2 based authentication and authentication with client certificate are two different things this can't be achieved using single policy please refer: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients#certificate-validation-with-context-variables
rest of the scenarios can be achieved using a validate JWT policy please refer for more information: https://learn.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#ValidateJWT
let me know incase of further queries, I would be happy to assist you.
Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.