I'm evaluating the use of client certificatates to improve security in an application i'm working on. It all run behind on AWS and pass through an API Gateway with an attached Lambda authorizer.
AWS documentation states that API Gateway do not support authentication through client certificates but allows you to make the authentication in your backend, but the documentation make no mention of what happens when you use Lambda authorizers.
My first bet is that it will not work as API Gateway is unable to see the headers. But as API Gateway handles de creation and storage of the certificates maybe it can at least peer inside the data stream to get the header data allowing the Lambda Authorizer to work.
In my case I want to added client certificate to my already present Token based authorization.
It is posible to implement this setup or can only be done by moving the token verification to the backend.
UPDATE: API Gateway now support mTLS! https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/
Old Answer:
The client certificate verification happens during the TLS handshake. The lambda authorizer works on an HTTP request example input. So you couldn't do real mutual authentication. You could do some custom solution, where you jam some sorta signed information in a header (think sigv4), but that's not really what we're talking about when we talk about mutual TLS.