What I suspect is happening here is that you have 2 TLS tunnels.
First between the client device and the proxy
Second between the proxy and the sentry.
Sentry is likely to be challenging for client certificate, however this challenge is in the second tunnel and is not passed through to the device.
I recommend you do a traffic capture on the sentry and see if the client certificate is being requested by the sentry.
If there is a client certificate request you will need to challenge for client certificate at the proxy and pass it through to the sentry.