Active Directory LDAP bind via X.509 client certificate authentication

Solution 1:

That would be using same attribute mapping mechanisms as smart card authentication. The standard way is to have the user UPN in SAN, mapped to the userPrincipalName attribute. Other attributes could be used, but that is not common: https://docs.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration

I don’t know whether LDAP will accept certificate only from CA in the NTAUTH store (which is required for smart cards), or any trusted CA. Easy to test though.