The client certificate does not contain a valid UPN, or does not match the client name in the logon request. Contact your administrator.
Some installations map their user’s UPN against other fields in the AD schema. If your company does use a modified schema, please contact our customer support. Custom schemas are only supported in on-prem deployments.