This was a wee bit of a pest to get going. I managed it by implementing an AutoSelectCertificateForUrls policy.

On Linux I created /etc/chromium/policies/managed/ and then created example.com.json in there. Although it is mentioned, it isn't really all that clear from the documentation that the values must be stringified. I only have a single client certificate installed so I can get away with empty filters and something like this:

{
    "AutoSelectCertificateForUrls": [
      "{
        \"pattern\": \"https://example.com\",
        \"filter\": {}
      }",
      "{
        \"pattern\": \"https://another.example.com\",
        \"filter\": {}
      }"
    ]
}

Looks like an absolute nightmare on mobile Chromium.

I haven't figured out how to make Service Workers automatically use client certificates yet. In fact, I can't really understand yet how to make client certificates work at all reliably when service workers are involved.