Tested above and indeed, if I import GPO created WiFi profile and apply it to Intune only machines (that do have NDES Connector issued certificate from my internal CA), I can have MACHINE ONLY authentication for WiFi connectivity
So local user (no certificate issued) stays connected to WiFi
No idea why Intune own WiFi profile does not have this option available!
Seb