Also, set the clientssl profile certificate to request. APM has two different ways to do client certs: You can set the clientssl profile to request them, OR you can set the clientssl profile to not request them and use On-Demand cert authentication.
If you use on-demand, the certificate is requested via SSL renegotiation during Access Policy execution and the cert's properties are available as session variables automatically. This means that you don't really have to use irules at all (which is preferred for simplicity's sake), you can use branch rules in the VPE and send the user to a remediation page or whatever user-friendly error you want at the end of the Access Policy.