FYI: During connection Certificates for authentication are send unencrypted in TLS1.2.
The problem is fixed in TLS1.3 that Xojo isnt supporting yet.
TLS1.3 seems to be supported in MBS:
https://www.mbsplugins.eu/CURLSetOptionSSLVersion.shtml
(but Christian can elaborate)