My understanding is that the WAP is terminating the TLS tunnel and establishing a new TLS session with the backend. In this context, the client never talks to the backend directly making the TLS authentication impossible.
You could configure the subfolder to use WS-Federation and federate with ADFS. Then you could enable Certificate Based authentication in the authentication policy in ADFS (both internally and externally), and force the application to request certificate based authentication. More of a workaround but that would do the trick.