Customer was able to resolve this, here is what happened:
Customer was using the factory (default) computer certificate from Windows server, which must have been missing some information or was just not intended for use by machines. Customer created a new computer certificate, and pushed it out to the machines and authentication works successfully.
Just an FYI in case anybody runs into the same issue. I'm not super well versed in Windows Server Administration, so this will be something I keep in mind when doing more EAP-TLS deployments.
Thanks everyone for the help and input!