Hi Sam,
Thank you for asking this question on the Microsoft Q&A Platform.
AFAIK, the username binding policy helps locate the user in the tenant. By default, Subject Alternate Name (SAN) Principal Name in the certificate is mapped to onPremisesUserPrincipalName attribute of the user object to determine the user, so this should be sufficient and do you have MFA authentication enabled for enhance security? This should add additional level of security.
As per Microsoft the support is for two certificate fields SAN Principal Name and SAN RFC822Name to map against the user object attribute userPrincipalName and onPremisesUserPrincipalName.
There is a detailed article and steps to verify this proces - concept-certificate-based-authentication-technical-deep-dive
===
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.