I suspect this will require changes to be made in Envoy in order to support attaching mTLS identity information to non-HTTP connections. I recommend filing an issue in https://github.com/envoyproxy/envoy/ to discuss this further with the Envoy maintainers.