The SFR in v3.2 currently lists this selection as the first available in the requirement:

[selection: IPsec in accordance with the PP-Module for VPN Client, mutually authenticated DTLS as defined in the Package for Transport Layer Security]

The problem is that neither of these two selection items are mandatory, and there is no option for "no other methods". 

FIA_X509_EXT.2.1 is modified as follows, with underline denoting addition:

FIA_X509_EXT.2.1  

The TSF shall use X.509v3 certificates as defined by RFC 5280 to support authentication for mutually authenticated TLS as defined in the Package for Transport Layer Security, HTTPS, [selection: IPsec in accordance with the PP-Module for VPN Client, mutually authenticated DTLS as defined in the Package for Transport Layer Security, no other protocol], and [selection: code signing for system software updates, code signing for mobile applications, code signing for integrity verification, [assignment: other uses], no additional uses].

See issue description.