Access profile - force user to reauthenticate

Since you're doing client cert, even if you did force re-authentication the client wouldn't see it, as modern browsers will remember the chosen cert and not re-prompt. If you set the frequency option in the client SSL profile to always (vs. once), a full mutual handshake will be forced at each new TCP connection, which would do what you need more or less, but also incur some latency.

You're using the client cert inspection agent in the visual policy, so that also implies that you're requiring the client certificate from within the client SSL profile. In that case, the client is establishing an SSL (encrypted) session with a server (BIG-IP) that requires mutual authentication. The client and server may periodically renegotiate new session encryption keys, but at no time would there be a lapse in SSL continuity that might warrant forced re-authentication. If you used the on-demand cert auth agent or any other authentication form, that'd be a different story.