From my point of view it sounds very strange to have a captive portal involved with any certificate based 802.1x.
In the GPO, configure the clients to do EPA-TLS with both machine and user authentication. This is done under the Additional settings button if EAP-TLS is selected as authentication method.

Another option is to migrate to use EAP-TEAP instead, but this is a bigger work as also ClearPass must be reconfigured to support TEAP.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------