Afaik the only product that can do this is Apache (triggering on demand TLS renegotiation, even based on different directories).
But this is not a solution going forward: with TLS v1.3, there is no renegotiation anymore.
You will have to find another solution. I understand using the wildcard certificate is convenient, but how about using two wildcard certificates, one for client cert auth, and one for everything else.
Like:
*.mydomain.com → everything without client cert auth
*.auth.mydomain.com → moving alarm and gitlist into this subdomain
Those two wildcard certificates do not overlap at all, as the wildcard only matches a single DNS label.