If an ID certificate required, I would suggest using EAP-TLS directly.
ISE supports PEAP as the outer method with EAP-TLS as the inner method and this works on Windows. However, the options for Apple native supplicants appear using the username and password as the 1st factor and an ID certificate as the 2nd factor, so I do not think it would work.