My generic advice would be to keep your API separate from your authentication routines. Your web server should handle the interaction for you.
Solutions for your side of the client-certificate scenario are dependent on your environment. You haven't posted that here, but it seems a targeted Google search should give you an idea of what's necessary.
Since you're providing an API to other parties, you do have some consideration regarding environment support for those developers. You're doing well with a REST basis, and most programming environments are going to interoperate with those rather well.
Client certificate support is likely going vary in terms of support efficiency across environments, platforms, etc. Additionally, you're now affecting client-side implementation when you require certificates. This will almost certainly put you in a position of requiring you to support your customers and get them up and running with your API. That means familiarity with other languages, web servers, frameworks, etc.