I just tested this in lab, and you can do EAP-TLS on just the Instant AP:
- Upload the 'radius server certificate' as a Server certificate
- Upload the root CA that issued the client certificates as 'Trusted CA'
Then configure under Certificate Usage configure your server certificate as RADIUS - Server, and the Trusted CA as RADIUS Trusted CA (I missed the last one first and had to add it to make it work).
Then configure the SSID for WPA2 Enterprise and the Internal database for Authentication. There is no need to create users, you will see the name of the client as username in the client list.
Note that any client certificate issued by the Trusted CA is accepted for EAP-TLS.
Note that there will also be no CRL/OCSP checking on the client certificate.