Feature parity bug, should be achievable with most major browsers.
This is unfortunately very difficult. The way smart card authentication works in browsers is that during the TLS handshake the server will ask the client to authenticate itself. Now the problem is how do we know when to do that? We have no idea what the URI is at this point. Normally you solve this by having a different hostname for the pages that require authentication. Not really ideal for our case though. And if you want to reuse the IP number you need SNI.
And with that solved, we still have to deal with the generally shitty interface in the browsers for smart cards.
There is also the option of requiring a plugin, but that kind of defeats one of the main points of the HTML client.
Red Hat has apparently added smart card authentication to the web console included in RHEL 9. Could be worth checking what system they use and see if it is appropriate for us.