...
Since the TLS client certificate is self-signed, the entity terminating the TLS transport for API servers cannot do full certificate path validation. It can check some aspects of the certificate (like expire date), but other than that it just accepts the certificate blindly and presents should just accept the certificate and present a hash of the certificate it certificate to the application server.
...