There is no actual authentication against an external identity when doing EAP-TLS. ISE will validate the certificate is from a trusted CA that has trust for client authentication enabled and validate the certificate is not revoked assuming you have CRL/OCSP properly configured.
What you can do in the authentication phase is have ISE extract the identity from the cert and check to see if the identity is a valid AD account, but this is not authentication. There is no computer password being passed like with PEAP. The check there is done via AD joins so your ISE deployment would have to be joined to each tenants' AD environment. You would have a different certificate authentication profile (CAP) for each tenant that references their AD connection. Then you can use certificate attributes to determine which CAP to use.
If you don't do AD checks during the authentication phase you could do checks in the authorization phase possible using LDAP connections if you don't want to join the ISE deployment to the tenants' AD environment.
There may be other options, but someone will correct me if I missed any.