what i'm probably going to do is

• implement a "certificate cache" service such that i can store the hostname -> cert link before making the request
• use SocketsHttpHandler with a named client and implement SslOptions.LocalCertificateSelectionCallback to then retrieve the cert from the 'cache' based on the host name

this isn't perfect, as requests arriving in our application 'out of order' may overwrite each other, but i think it's a fairly low risk for our specific scenario

i've got an implementation that seems to run, but i have yet to test it against the actual 3rd party integration