Basically, with TLSv1.3 you need a client that supports post-handshake authentication.
Some clients, such as Firefox for example, support it but it needs to be enabled, as it's disabled by default, see security.tls.enable_post_handshake_auth in about:config.
The best course of action if you don't control the clients connecting to your web server is probably to disable TLSv1.3.
@vladimir-mencl: what you are seeing is actually this bug: /bugs.launchpad .net/ubuntu/ +source/ firefox/ +bug/1834671
https:/
Basically, with TLSv1.3 you need a client that supports post-handshake authentication.
Some clients, such as Firefox for example, support it but it needs to be enabled, as it's disabled by default, see security. tls.enable_ post_handshake_ auth in about:config.
The best course of action if you don't control the clients connecting to your web server is probably to disable TLSv1.3.