The issue was specific to the only Oreo devices we had available - Pixel 2 XL. It is now rectified appliance-side after disabling client certificate restriction on the authentication realm.
Strangely, the connection succeeded and the mobile client reported "connected" - however VPN tunnel (ESP) traffic just wouldn't work on the mobile client. Send and receive byte counts remained at 0 despite trying to ping the devices's allocated IP from the LAN side. "Intranet" browsing in the client's built in browser worked, however.
Anyway, as mentioned, removing client certificate restriction solved the issue for us and is an acceptable configuration at the moment.
Thank you for the update on what you saw and how you rectified it. When you have time, can you please open a case with support to work with them for collecting data (from a test realm so your users are not negatively impacted) to send to our development team to work on this?