If you are using a browser to intiate the VPN you cannot use device certificates for authentication. Only User certificates are supported. However, you can create a Hostchcker policy to check for a device certificate and then assign that policy the Realm.
If you are using the Pulse client you can configure it to use the machine certificate store instead of the user store. Go into your Pulse connection set, and under "User Connection prefeernces" select "Select client certificate from machine certificate store".
I think the main question to answer is how was the client certificate installed. A common mistake is installing a certificate that is no designed for client authentication or installing a certificate without the private key. Could you provide the steps you used to request and install your client certificate?
I run into similar conundrum. I wanted to check device also got chekced when loggin in. So we do have the option of hostcheck - however, you can also do it via custom certificate request.
It might be a bit cumbersome - but it seems to get the job done.
Assuming you have a User certificate template (Microsoft internal PKI) - users can enroll certificate via MMC or https://servername/certsrv URL.
Once you create the certificate, you can allow accessing roles on realm level.