Mutual Auth Query (Qlik)

Hi all,
I have Keycloak serving a Qlik cluster. It uses OpenId with a hand-off between the 2 apps for initial login. This works fine but the client also wants us to validate a user’s browser cert and I’m struggling to make this work.
One of the concerns I have is that if I set SSL to verify-client=“REQUIRED”, then how does it handle back-channel traffic from Qlik? , as Qlik won’t have a browser cert.
Also, there are 2 settings. REQUESTED and REQUIRED. REQUIRED is obviously mandatory but what’s the point of REQUESTED if you can connect without a cert?

In any case, at the moment all I get is a 502 when set to REQUIRED and it doesn’t care about a cert at all when set to REQUESTED.

Does anyone know of any worked example out there that I could follow for a basic “Hello World” type of setup? At least that way I can start to get a grasp on what these settings actually do.