The easiest – and most limited – way to implement this would be to use the default functionality of the Mendix Cloud to limit incoming connections by requiring a client certificate, see the documentation. You then allow anonymous access to your application. This way, everyone with the certificate has full access to the application, but you cannot distinguish between users or let users have distinct roles.

Alternatively, you would need to write Java code to override the login action and perform the authentication yourself, based on the (content of) the client certificate and assign a user and user roles to a session. There are multiple modules in the app store that override the default login behavior that you can use as a starting point and there is a (very old) blog post that explains the basics.

I have never heard of someone creating such a login action, and you should consider if requiring just a client certificate is safe enough: you need to write all code yourself, so there is a real chance you don't implement this flawlessly, so you would decrease the security of your application. Using a username and password together with a client certificate is fully supported of out of the box functionality, implemented by Mendix, which sounds like the safest option.