In general, the MAC authentication service should be above the 802.1X service for the same SSID.
The authentication method (MAC/802.1X) is evaluated after the service has been selected. If a request does not match the right service, either add modify the service condition rules of the service that should not match and/or move the rule that does not match before that wrongly matching rule.
Please note that how to order services and resolve conflicts like there is very fundamental ClearPass knowledge and doing the wrong thing can break complete networks. If you haven't engaged with a professional for design and advice, for a production environment you should do so.