At the moment, API Protection doesn't support MTLS for a specific API or a specific IP that can access to these APIs.
We are requiring that because on our nginx plus infrastructures it is possible.
We can't migrate customers with this type of "basic" configurations.