Hello @Michael van der Burg
Here’s what I found.
Always On VPN natively supports Windows Hello for Business (in certificate-based authentication mode).
According to this Blog, this certificate should be issued if the VPN server will be accepting SSTP connections. The certificate revocation list (CRL) for this certificate needs to be available on the internet. If the CRL for the internal PKI is not publicly available, then this certificate should be issued through a third-party CA. An existing SSL wildcard certificate could be used here.
Hope that helps.
Best Regards
Karlie
----------
If the Answer is helpful, please click "Accept Answer" and upvote it.