The prefix of host/ comes from the fact that machine authentication is being done. The AD joined machine is authenticating because the machine booted up, or user logged out. If you don't want to do machine auth, then change the supplicant to do user auth only. But then the machine won't be auth'd if no user is logged in.
If you want to strip the "host/" prefix before sending the request to AD, then you can perform this manipulation in the ISE External identities menu option:
Second issue: The client would reject it if the ISE EAP certificate has expired or is invalid (wrong EKU for example). You'd need to give more details about the ISE EAP certificate that you are using.