HTTP Client Certificates should be available to WebAPI code in a host agnostic way
Since HTTP(S) client certificates are a fundamental piece in the HTTP story, there should be a standard way to access them from within WebAPI. Ideally on HttpRequestMessage.ClientCertificate (of type X509Certificate2).
Currently you would have to use host specific ways to get to that information like HttpContext.Current.Request.ClientCertificate.
You can get the client certificate from the request message using the GetClientCertificate() extension method: