Could your issue be that you have multiple certificates installed on the client, one from AD and one from Intune, and the client is selecting the wrong certificate during the authentication (the AD one instead of the Intune one)?
If that is the case, in your supplicant configuration you can change simple certificate selection to one issued by a specific CA:

And, make sure that the certificate issued through Intune has the Intune DeviceID as the Subject-CN, which is not the default.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jan 20, 2023 06:04 AM
From: DaveG
Subject: Intune Auth Source
Hi,
I've followed this guide to try and get the extra Intune attributes for a device
Intune extension 6 is installed and can sync with Intune and import devices into the endpoint configuration
I'm using the filter query of %{Certificate:Subject-CN}
However, all that will happen is I get
HTTP attribute query returned error=404
Edit: I think I see the issue. All the devices have a machine cert from Active Directory CA. So the Certificate:Subject-CN matches x335 however that doesn't match the Intune Device Id which is used in the lookup.
Is there anyway to read two machine certs or force the authorization intune query to matchCertificate:Subject-CN which returns x335 and then get the Intune Device ID from that and run the query?