Run into the exact same issue.
Initially, have been trying to use a perfectly working EAP-TLS service for corporate machines and add the BlackBerry UEM authorization source to allow corporate-managed phones (valid certificate and UEM-managed is the role mapping).
Fail the authentication, obviously cause it only has the AD and UEM cannot be added there.
Tried duplicating the service and have 2 separate, but 802.1X template does not allow me to remove authentication source and methods, and only use authorization.
Is there something I'm missing?