Do you have an example of a network where this is used?
Also, I'm curious what advantage this would have over simply using the fact that you've logged into their server via SASL External. Instead of doing a challenge, the server could instead give oper to a login that has been verified by the SASL handshake as being in possession of the the private key matching the certificate that's recognized as being the oper.