PKI PIN works for users from one network, not the other.

Late to the party, but does traffic break for external network users? Is decryption/re-encryption configured anywhere? For mutual TLS (client cert auth) you cannot decrypt the traffic at the proxy if the backend server requires the client certificate. At a high level, a mutual TLS handshake requires the client to generate a hash (signed by its private key). If the traffic is getting decrypted anywhere in that path, the re-encrypting device would not have access to the client's private key to correctly generate that hash.

The one exception to the above is when using C3D on BIG-IP (client certificate constrained delegation). This feature allows you to explicitly decrypt mutual TLS client traffic on the client side, and then forge a client certificate to the server on the back side.