In mysql/mariadb you can require specific users to present a X.509 client certificate and therefore authenticate them by mutual TLS.

Example:
CREATE USER 'jeffrey'@'localhost' REQUIRE X509;

You can even lock it down further by specifying a subject and CA that the presented certificate must be signed by:
CREATE USER 'bob'@'%' REQUIRE SUBJECT '/CN=bob' ISSUER '/CN=ca.example.com';

Another option could be to implement a listener flag like 'require_client_certificate: true` to enforce this on a global level.
I think this could be considered in addition to client authentication per user, not as a mutually exclusive alternative. Having only this option might be suboptimal for environments like kubernetes where mTLS inside the cluster is often ensured by means like service meshes/cni plugins and only for users that connect from outside the cluster, client certificates must be enforced.

I think this would be a great addition to dolt and especially in high security environments this could be interesting. If i can support you in any way, please let me know. Thanks!