Postfix client cert info not being passed to opendkim milter

Because you only accept authenticated mail anyway, you do not need to pass information about which method was used to opendkim - only the (boolean) distinction between ports that have mandatory authentication (sign) and ports that do not offer authentication (verify).

You can set -o milter_macro_daemon_name=whatever in master.cf to let opendkim know which mail should be signed. That macro would otherwise default to $myhostname, but by using (arbitrary, opendkim does not care) different values for verifying-only and for mandatory-auth ports you can distinguish them.

Docs recommend using ORIGINATING and VERIFYING to make it super obvious. MacroList in your opendkim.conf can then check whether daemon_name is equal to whatever you set.