There is no simple way to do this, unfortunately.
Use a TCP frontend withouth SSL termination, SNI route to different backends that recirculate to traffic to dedicated SSL frontends with different configurations.
Something like:
frontend port443
bind :443
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend recir_clientcertenabled if { req_ssl_sni -i test1.demo.com }
default_backend recir_default
backend recir_clientcertenabled
server loopback-for-tls abns@haproxy-clientcert send-proxy-v2
backend recir_default
server loopback-for-tls abns@haproxy-default send-proxy-v2
frontend fe-ssl-clientcert
mode http
bind abns@haproxy-clientcert accept-proxy ssl crt /etc/ssl/certsforhaproxy/test1.pem crt ca-file /etc/ssl/certsforhaproxy/ca.pem verify required
frontend fe-ssl-default
mode http
bind abns@haproxy-default accept-proxy ssl crt /etc/ssl/certsforhaproxy/test2.pem crt