PXE in an 802.1X environment
Solution 1:
In the end, we decided the best way for us to use PXE with 802.1X, was to assign unauthenticated machines to a guest VLAN. At the router, the VLAN is ACL'd to only the DC (which also hosts DHCP), Enterprise CA, and PXE servers. We then added ip helper-address entries to the VLAN to both servers.
Once the machine is succesfully imaged on the guest VLAN, the operating system then takes over. Our task sequence has it automatically join the domain. Group Policy then directs the machine to obtain a client cert and participate in 802.1X authentication.
The advantage to this method is that we don't have to worry about MAC address bypass or manually disabling/reenabling 802.1X on a port.
MAC address bypass would be difficult for us to do, since it would require us to create user accounts in AD of the machine MAC address. Since the password is the MAC address as well, we would have to disable our password complexity policy, which is a non-starter.
In order for us to use AMT for the supplicant would require us to perform out-of-band provisioning, which puts us in a chicken-or-egg scenario.
Thank you to everyone who viewed/provided input on this question.