I use clients certs and tested this proposed change, and can confirm it doesn't break client cert authentication, since it will never hit that code path if a matching cert identity is found, so seems it would be a harmless change.
This is really an edge case where the server is configured to request a client cert, but Munki isn't configured to offer one, similar to
https://github.com/munki/munki/issues/1095 where the server was misconfigured.
I'd suggest adding the following before the NSURLSessionAuthChallengePerformDefaultHandling call, so the log reflects what's happening.
self.log('Allowing OS to handle authentication request')
-rob