Standard TLS authenticates the SERVER to the client (your browser confirms it's really talking to bank.com). mTLS adds the inverse: the client also presents a certificate, and the server verifies it. The result is mutual authentication without passwords or API keys.
Use cases: service-to-service auth inside a Kubernetes cluster (Istio uses mTLS by default), banking API integrations, IoT device authentication. Less common in browser-facing apps because client certificate management is a UX nightmare.
Tunneling mTLS through a reverse-tunnel service is awkward — the tunnel terminates TLS at the edge and re-establishes a separate TLS connection to your origin. The client cert presented to the edge isn't visible to your local server. For mTLS dev work, run the server publicly with a real cert.