I wanted to filter traffic to the server through reverse proxy using Two-way SSL/Client Certificates, on top of the regular login + 2FA auth. It already works with the exception of the Android App because, from what I have pieced together anyways, by default Android Apps only accept/use the System Store with Public CA’s unless they are explicitly configured to allow the User Store.

From another app with a similar issue on github:

The android manifest file must contain reference to a networkSecurityConfig file:
AndroidManifest.xml

 <application
         ...
         android:networkSecurityConfig="@xml/network_security_configuration"
         ...>

…and this file’s content will explicitly say that it looks up certificates not only in the system store but also in the user one:
network_security_configuration.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config>
        <trust-anchors>
            <certificates src="system" />
            <certificates src="user" />
        </trust-anchors>
    </base-config>
</network-security-config>

Then one can filter traffic to the reverse proxy with more control than just an IP alone and without any additional costs of buying a Public CA.

Cheers!