The IETF TOKBIND working group (https://datatracker.ietf.org/wg/tokbind/about) attempted to solve the problem of stolen bearer tokens by associating them with the TLS connection itself, so they couldn't be moved to another system. Eventually Google refused TOKBIND. If something won't be added to Chrome it won't matter. The rumored justification was TOKBIND would change/break web development.
Doing mutual TLS, as you suggest, breaks enterprise-deployed in-line TLS proxies (Bluecoat, et al). To avoid that breakage, while still providing mutual TLS, the new hotness seems a normal TLS 1.3 handshake (which appeases TLS proxies) and then upgrading to mutual TLS within that TLS connection (https://datatracker.ietf.org/doc/html/rfc8446#section-4.6.2).
tokbind, mtls, tls 1.3's new dance
Doing mutual TLS, as you suggest, breaks enterprise-deployed in-line TLS proxies (Bluecoat, et al). To avoid that breakage, while still providing mutual TLS, the new hotness seems a normal TLS 1.3 handshake (which appeases TLS proxies) and then upgrading to mutual TLS within that TLS connection (https://datatracker.ietf.org/doc/html/rfc8446#section-4.6.2).