It's an authorization concern that the user be authenticated, so I had to that as the fallback policy and everything works. I made the following addition to the ServiceCollectionExtensions.AddCertificateAuthenticationService method:

builder.Services.AddAuthorization(options =>
{
    options.FallbackPolicy = new AuthorizationPolicyBuilder()
                    .RequireAuthenticatedUser()
                    .Build();
});