You have a lot to consider here. A few things you should be aware of/consider:
-In order to accomplish BOTH user and machine authentication you will need to rely on eap-chaining. Typically this is/was accomplished via Cisco's EAP-FAST with AnyConnect NAM being used as your supplicant on clients. The industry standard is EAP-TEAP which supports eap-chaining and the ability to rely on the Windows built-in native supp. The caveat here is for TEAP support you need to be running at least ISE 2.7 and Win10 build (from May 2020 I believe). If you decided to rely on AnyConnect NAM just keep in mind that now you will need to manage additional software on clients which includes keeping up with upgrades, user education, etc. As @balaji.bandi mentioned your best (most secure) option is to rely on user/comp certs for auth. See the following for additional info:
https://www.ise-support.com/2020/05/29/using-teap-for-eap-chaining/
https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/eap-fast/200322-Understanding-EAP-FAST-and-Chaining-imp.html
HTH!
