AWS secure REST API with mutual authentication

As of 17th September, 2020, support for Mutual Authentication using TLS is available on AWS API Gateway: https://aws.amazon.com/about-aws/whats-new/2020/09/amazon-api-gateway-supports-mutual-tls-authentication/ . It can be used to authenticate clients calling an API on API Gateway.

You'll have to do this on your servers.

None of the services that terminate TLS and forward requests or connections to your app tier -- Elastic Load Balancers (Classic, Application, and Network), CloudFront, or API Gateway -- support TLS mutual auth.

Of course, a Network Load Balancer without TLS termination or a Classic Load Balancer in TCP mode will pass-through your payload, whatever it is, so either of these can be used in front of your servers, but the servers will need to handle all the TLS.

Also, your conclusion is correct that API Gateway's client certificates are not what you are looking for. They work as you described them.