I was thinking about it since I saw it a few days ago. I think I have a working solution using the vars_regexp matcher.
Can you make use of this?
example.com {
tls {
client_auth {
mode verify_if_given
trust_pool file root.pem
}
}
# ensure at least 1 character is present in fingerprint to indicate mTLS
# was provided, hence sucessful if reached this far.
@authed vars_regexp {http.request.tls.client.fingerprint} ^([0-9a-zA-Z]{1,})
@notauthed not vars_regexp {http.request.tls.client.fingerprint} ^([0-9a-zA-Z]{1,})
# use the matchers accordingly, preferable with `handle` to ensure mutually-exclusive handling
# ...
}