I have had a very similar issue to this and identified a workaround that works in my environment, so here goes in case it is useful to anyone else.

The issue was that when a machine certificate issued via Microsoft AD auto enrolment was present, I was not able to use a user certificate to perform a SBL connection on Windows 8.1 - even with my user certificate copied into the machine certificate store.

It turned out that the issue was mostly down to the subject line being blank on the machine certificate. AnyConnect seems to come across this and then not consider any more certificates. I populated the subject name in certificate templates in AD, and re-issued the certificate. At this point AnyConnect automatically picked up the computer certificate for authentication. If you disable the automatic certificate selection in AnyConnect, you get a choice and it works with the user certificate.

All you need to do then is find some way of disqualifying the machine certificate from being considered by AnyConnect. I did this by changing the Enhanced Key Usage from Client Authentication to Server Authentication for the machine certificate (again in AD Certificate Templates) and now it all works like it always used to under Windows 7.

This was all done using AnyConnect 3.1.05187.