This is a good use case for APM's "Per Request Policy" feature. You can create URL branches which require authentication and portions of the site which does not. This could also enable "step-up" authentication use cases where access to certain parts of a site could require stronger authentication.
On-Demand Cert Authentication or ODCA is an option in a Per Request Policy.
On Demand Certificate Authentication
How Step-up Authentication works:
Step-up Authentication with Client Certificate example: