In a recent post from his blog, Premier Developer Consultant Marius Rochon gives us a step-by-step overview of how to use OAuth2 Client Credential flow with an X509 certificate.
This Azure AD sample shows how to use OAuth2 Client Credential flow with an X509 certificate for authentication. Here is a procedure I use to periodically rollover the certificates.
In order to maintain continuous ability to authenticate a client you will want to define at least two certificates so that as you replace one, the other one is still available for authentication. That way you can modify the list of certificates in Azure AD and at a later stage modify the application to use the latest certificate as credential.