I'm looking for a managed solution in Azure to do client certificate validation on TLS level. The app services support client certificates, but only as "header-forward" to your code. This makes it impossible to send a proper TLS handshake error. So, my question, is there any managed service in Azure which does client certificate validation and supports TLS level errors?
There is no out-of-the-box service in Azure to implement and verify a TLS handshake between client and server. Microsoft enforces that each application in Azure must implement it's own certificate verification code using libraries supported by the programming language.
The managed service that is available is a key store, where private and public keys can be stored and used by apps.
I don't believe Microsoft would document something saying "we don't have X feature in Azure", therefore we can imply by the official documentation of how to configure TLS and verify certificates, that each app must implement it's TLS related functions:
Use an SSL certificate in your code in Azure App Service
Your app code may act as a client and access an external service that requires certificate authentication, or it may need to perform cryptographic tasks.
This is followed by examples of how to perform TLS certificate verification in some common programming languages.