Bruce - there is no "security hole" in ClearPass. EAP-TLS really doesn't have a concept of outer and inner method as it's not a tunneled EAP method. macOS allows you to manually set the username instead of automatically pulling it from the certificate (the default behavior).
To reject authentications where the username does not match the contents of the certificate, simply configure your EAP-TLS method to use certificate comparison.
Username entered as optional Account Name in macOS
Username in the certificate
Rejected