I would have thought you could use InTune to push a WiFi profile with digital certs and config for EAP authentication for full 802.1X with a RADIUS server - that way you end up with WiFi encryption too - not just authentication.
It mainly acts to relay details between the client and RADIUS server and implement the authentication decisions and related stuff arising from the RADIUS server's intervention.
Having separate vendors for the various components of such setups can make it more difficult to implement. This is why some customers choose to simplify as far as possible; using Meraki Systems Manager for MDM, with Meraki APs and Cisco ISE for RADIUS. You still have other vendors for the client OS's + 802.1x supplicants, of course, but it can really help.
You will need to consult NPS documentation for more detail around using cert-based client auth. Have you considered working with a partner IT company to help you integrate these things? A good one will have done this before.