I don't know the answer.
You will have to use Cisco AnyConnect for this.
I think this can be achieved - but it is going to be expensive. You want to perform authentication and authorisation based on both the user and device.
This screams Cisco ISE. I think you would need to also use the AnyConnect Posture module.
You could configure two profiles in Cisco ISE to look up the user and analyse the device they are on, and return a Filter-Id attribute to the MX to say which group policy to apply (which specifies the access restricton).
I suspect it would almost be cheaper to buy two MXs - one for each VPN case. Use AnyConnect with SAML. Lets pretend you have Office 365 or Azure AD and a subscription that includes "Azure AD Premium P1". You would have AnyConnect authenticate against Office 365. You would configure Azure CBA (certificate based authentication):
Then create a conditional acces spolicy requiring both CBA and MFA.
For the second case, on the second MX, you would also use AnyConnect SAML with Office 365 authentication (still requires "Azure AD Premium P1"). This time you could configure a conditional access policy to require MFA. On the MX you would configure a default group policy for these users that only permitted HTTP and RDP access.
There is a feature in the works that would allow both of these on a single MX but that could easily be a year away from release.
Thinking sideways - another [simpler] way to do this would be using Cisco Duo on the Beyond plan. You would connect the first case (using AnyConnect) to Cisco Duo using SAML. You wouldn't need to use certificates. With Duo you can simply test if a computer is a member of your Active Directory or joined to your Intune (*so* much simpler than using certificates). You can also manually authorise computers and devices allowed to access.
For the second case, you would deply the "Duo Network Gateway". This allows you to deploy a virtual appliance that provides HTTP and RDP (and some other things) access to internal resources via a web front end. Of course it uses Duo MFA. Much safer for the BYOD case. BYOD machines would have zero IP access to internal servers.