SMB over QUIC Client Access Control is inconsistent

We have set up SMB over QUIC on some Windows 2025 file servers and generally it works well.  Unfortunately of course, it is not secure by design since there is no MFA or conditional access in the picture.  Thus securing the connections falls to its Client Access Control feature where you can allowlist or blacklist connections using client certificates.

We implemented this in multiple environments (different domains) and although it works initially, it then starts failing with no changes having been made.  The behavior is always the same across various domains once it starts failing - first the connection shows successful:

The SMB connection was successfully established.

Endpoint Name: FILES
Transport: Quic
Server socket address: x.x.x.x:443
Client socket address: x.x.x.x:8205
Connection ID: 0xB1D0039C01XXXXXX
Mutual authentication: Yes
Access control: Yes

Then immediately it fails less than a second later:

Quic connection shutdown.

Error: Mutual authentication failed.
Reason: Server close the connection.
Endpoint Name: FILES
Transport Name: \Device\SmbQUICIpv4_0006_x.x.x.x

Guidance:

This event indicates that the winquic connection is shutting down by the server. This event commonly occurs because the server certificate mapping is not created. It may also be caused by the server failed to configure the winquic connections.