The issue was specific to the only Oreo devices we had available - Pixel 2 XL. It is now rectified appliance-side after disabling client certificate restriction on the authentication realm.
Strangely, the connection succeeded and the mobile client reported "connected" - however VPN tunnel (ESP) traffic just wouldn't work on the mobile client. Send and receive byte counts remained at 0 despite trying to ping the devices's allocated IP from the LAN side. "Intranet" browsing in the client's built in browser worked, however.
Anyway, as mentioned, removing client certificate restriction solved the issue for us and is an acceptable configuration at the moment.