From my understanding, host checker applied on the realm level (require and enforce) will be checked before the user login and role level (evaluate) will be checked after user login. It's like pass this policy and I will provide a chance to login (realm) and pass this policy and I will provide you this role (Authorization).

One convenient scenario, where role level host checker is used, when you would like to provide access(assign user roles) to somebody based on their compliance results i.e. if you pass - get full access, if you fail - get limited/quartined access.

Is there a difference in the check used? No
Is it redundant to check for a machine certificate on both the realm & role? maybe, but that is a call you & your security team need to decide. doing it at both allows you to check if it is present at the realm and have role mapping rules that allow or disallow access based on if that certificate is present.

as far as the error goes: is it on all machines or only some? does the connection in your connection set enable machine store for the certificate?