Thanks @balaji.bandi !!!!!!!!

@Arne Bier is correct about the order being important. Although it is not well documented by MS, when the 'use smart certificate selection' option is enabled, part of the criteria for that selection is the age of the certificate. If the client has multiple computer and/or user certificates in their Personal store (and all certificates meet the requirements for use by EAP-TLS), the most recently enrolled certificate will be presented by the supplicant.

The Windows 10 supplicant does have a tab for Advanced options that can be used to define matching conditions for the certificate that should be presented for 802.1x, but if the SCCM and client certificates have the same values (Root CA, Issuing CA, EKUs, etc), this may not help. You would have to compare the certificates to see if there are matching conditions that will work for this selection. If not, you would likely need to consider making changes to your PKI architecture and/or the certificate templates to accommodate these MS limitations.

Thanks @Greg Gibbs !!!!!

@Greg Gibbs While your answer sounds great, we have anecdotal evidence (no packet captures to prove it) where we believe your answer may not be accurate. When running ISE v2.2 for a few years (we're on 2.7 now and upgrading again early next year), we found plenty of windows systems doing EAP-TLS but failing often. Some investigations with our Windows team showed the problem devices had an old certificate on the machine along with a new one. When we started asking them to look for and delete extra (multiple active) machine certificates or OLD/expired machine certificates, these devices EAP-TLS authentication problems went away.  The "clients" covered both Windows 7 (now phased out) and Windows 10 machines.  We have since asked out Windows team to add a check to their policies(?) to remove any expired machine certificates.  The instances of Windows machine EAP-TLS authentication errors dropped rapidly after that.

@davidgfriedman , the enrollment date of the certificate is only part of the criteria used by the 'smart certificate selection' in the supplicant. I have not found any detailed documentation by MS describing the full list of criteria or exactly how this selection process works. All other things being equal, the most recently enrolled certificate that meets the requirements for EAP-TLS *should* be presented by the supplicant.
Without using the certificate matching options (this feature was never available in Windows 7), I have certainly seen more recently enrolled O365 user certs presented by the supplicant instead of the cert initially enrolled by the User Group Policy.
Having multiple expired certificates in the user/computer store is never a good thing. The Windows supplicant would not usually consider those eligible to present for EAP-TLS, but I don't know what issue they could cause with the supplicant. They should definitely be removed during the renewal process.

Thanks @Arne Bier !!!!!!!!