X.509 client cert direct grant with fallback to username/password

Hi, I’m trying to configure a Direct Grant auth flow to accept x.509 client cert, if provided in the http header from haproxy, or if the header is not present, accept user/password credentials. I’m using the OIDC endpoint /realms/{realm-name}/protocol/openid-connect/token with param grant_type=password and with either of the http header for the ssl cert, or the user/password form params.

My auth flow looks like this:

However, the flow fails at the first subflow for x.509 username and doesn’t attempt the user/pass auth. According to KC server manual (I think), 2 ‘alternative’ subflows are the correct config here, even if both have required sub-elements. Perhaps that’s not true and in fact a required sub-element means that an alternative flow is actually required? Has anyone tried to use x.509 username with direct grant and fall back to user/pass?