By using mutual TLS with Application Load Balancer, your load balancer can manage client authentication to help ensure that only trusted clients communicate with your backend applications. When you use this feature, Application Load Balancer authenticates clients with certificates from third-party certificate authority (CA) or by using the AWS Private Certificate Authority (PCA)
ALB support 2 different options for mTLS:
mTLS verify: ALB performs X.509 client certificate authentication for clients when a load balancer negotiates TLS connections.
mTLS passthrough: ALB will send the entire client certificate chain to the target using HTTP headers. So customer can implement relevant authentication and authorization logic in their application.
Here is flow diagram showing mTLS in verify mode.