When you setup an access restriction profile with the top 3 levels of your certificate chain, and after that, configure that profile for certain endpoint, you are restricting the access to those endpoints to those calls that have with them, a certificate that is signed by a certificate in your restriction profile (depending on which certificate you added a checkmark to).
Let's say you only put a checkmark on the 3rd certificate in the chain. This means that only http-calls with an accompanying client certificates signed by this 3rd certificate will be granted access.
If this call comes from another Mendix application, you do need (as you have mentioned in your own answer) to add this certificate to your outgoing call. If you use one that is created by Mendix, it obviously was not signed by the 3rd certificate in the chain, and therefore will not be granted access.
If I would configure it like this, only calls with client1 certificate (or other client certificates that were signed by subca1) will be granted access, and in Mendix apps, you need to add those certificates to outgoing calls.
Hope this helps,
It seems that an outgoing connection certificate is mandatory to be able to encrypt the client side of a 2-side SSL. You can use the SSL certificate for it, but only if you created the SSL certificate with your own private key (not when you let Mendix create your SSL certificate request). And you will have to upload the certificate in the outgoing connection certificate section.
If someone disgrees with this solution, please let me know!