ralacher/policy.xml

## policy.xml
<policies>
    <inbound>
        <base />
        <choose>

            <!-- No certificate required -->
            <when condition="@(context.Request.Headers.GetValueOrDefault("Host").Equals("no-mtls.example.org", StringComparison.OrdinalIgnoreCase))">
                <return-response>
                    <set-status code="200" reason="OK" />
                    <set-body>No certificate required for no-mtls.example.org</set-body>
                </return-response>
            </when>

            <!-- Deal with missing certificate -->
            <when condition="@(context.Request.Headers.GetValueOrDefault("Host").Equals("yes-mtls.example.org", StringComparison.OrdinalIgnoreCase) && context.Request.Certificate == null)">
                <return-response>
                    <set-status code="403" />
                    <set-body>No certificate provided</set-body>
                </return-response>
            </when>

            <!-- Deal with invalid certificates -->
            <when condition="@(context.Request.Headers.GetValueOrDefault("Host").Equals("yes-mtls.example.org", StringComparison.OrdinalIgnoreCase) && !context.Request.Certificate.Verify())">
                <return-response>
                    <set-status code="403" />
                    <set-body>Invalid certificate</set-body>
                </return-response>
            </when>

            <!-- Otherwise... -->
            <otherwise></otherwise>

        </choose>
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>
	<policies>
	<inbound>
	<base />
	<choose>

	<!-- No certificate required -->
	<when condition="@(context.Request.Headers.GetValueOrDefault("Host").Equals("no-mtls.example.org", StringComparison.OrdinalIgnoreCase))">
	<return-response>
	<set-status code="200" reason="OK" />
	<set-body>No certificate required for no-mtls.example.org</set-body>
	</return-response>
	</when>

	<!-- Deal with missing certificate -->
	<when condition="@(context.Request.Headers.GetValueOrDefault("Host").Equals("yes-mtls.example.org", StringComparison.OrdinalIgnoreCase) && context.Request.Certificate == null)">
	<return-response>
	<set-status code="403" />
	<set-body>No certificate provided</set-body>
	</return-response>
	</when>

	<!-- Deal with invalid certificates -->
	<when condition="@(context.Request.Headers.GetValueOrDefault("Host").Equals("yes-mtls.example.org", StringComparison.OrdinalIgnoreCase) && !context.Request.Certificate.Verify())">
	<return-response>
	<set-status code="403" />
	<set-body>Invalid certificate</set-body>
	</return-response>
	</when>

	<!-- Otherwise... -->
	<otherwise></otherwise>

	</choose>
	</inbound>
	<backend>
	<base />
	</backend>
	<outbound>
	<base />
	</outbound>
	<on-error>
	<base />
	</on-error>
	</policies>