The issue has now been resolved with the excellent assistance of Cisco TAC - it was a configuration issue within our NAM Profile.
Im summary there were 2 Network Groups within our NAM profile "Default" and "Local Networks".
The profile was set correctly to use Machine Authentication for our wireless SSID in the "Default" group and was listed as an Administrator network within NAM (however as before this was failing and NAM was using the LYNC user certificate details).
Turns out there had been a test network with the same SSID set-up previously within the "Local Networks" group and this was listed as a User network and it is this one that NAM was using to try and authenticate.
When this test network was deleted from the "Local Networks" group we were then able to authenticate to our wireless SSID successfully using 802.1x and EAP-TLS
Thanks again for your earlier help.