So you would leave {host} as is, you don’t need to change it. This is a placeholder.
I’m not sure if the handle directive can work with the tls directive (@ is just a name matcher), but you can still add tls to the specified subdomain outside of the name matcher.
You can use the client_auth directive and use require_and_verify to see if that works for mTLS. @francislavoie has a post from a few years ago mentioning other options.