If an authentication entry in the pg_hba.conf specifies the clientcert=verify-full, then the client must present a valid SSL certificate that matches the login name, or the client name based on a map.
https://www.postgresql.org/docs/12/ssl-tcp.html#SSL-CLIENT-CERTIFICATES