Does the TLS handshake need to be done on an infrastructure level, or an application level?
The TLS handshake happens before any request, it happens at the infrastructure layer. You can do extra checks at the application layer if you want but once it reaches the application the mTLS handshake must have already happened. For more general information about mTLS we recommend looking at some online resources like: https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/