The FIA_X509_EXT.2 requirement mandates support for X509 authentication for SDES-SRTP and TLS.  SDES-SRTP is used to protect voice calls that are p2p (between client applications).  There are no provisions for X509 authentication within SDES-SRTP.

Remove SDES/SRTP from the requirement:

FIA_X509_EXT.2.1 The [selection, choose at least one of: VoIP client application, client device platform] shall use X.509v3 certificates as defined by RFC 5280 to support authentication for SDES/SRTP, TLS, and [selection: code signing for software updates, code signing for software integrity verification, no additional uses].

Changed to:

FIA_X509_EXT.2.1 The [selection, choose at least one of: VoIP client application, client device platform] shall use X.509v3 certificates as defined by RFC 5280 to support authentication for TLS and [selection: code signing for software updates, code signing for software integrity verification, no additional uses].

X.509 authentication is used in the TLS connection which is used to protect the SIP signaling messages (which passes the symmetric keys that are then used for the SDES-SRTP session).