My recommendation is to delete both the network and connection request policy you created. Then, create a new Network Policy. The default Connection Request Policy (Use Windows authentication for all users) can stay enabled (it is basically unrestricting).
Create a new Network Policy. You can start with minimal configurations to ensure functionality; then go back and addtional conditions as necessary.
Policy Name - Anything
Type of Network Access Server - Unspecified
Conditions - NAS Port Type = Wireless - IEEE 802.11 (initially, I'd recommend you add more later)
Acesss Granted
EAP Type - Microsoft: Smart Card or other certificate; click Edit and make sure your Certificate is populated
Constraints - NONE
RADIUS Attributes - NONE (unless needed later on)
Move this new policy to the very top of the Network Policies. Test. If successful, consider adding additional conditions such as "Client Friendly Name" or "Windows Group" memberships. If it fails, please post the NPS log entry.