Scratch that - setting
xpack.security.http.ssl.client_authentication: required
instead of
xpack.security.http.ssl.client_authentication: optional

is the cause of the issue.
Once set to optional, I'm able to successfully authenticate with either option

---