Ok, let me elaborate more.
I want to work with ES without providing username and password (native realm). I want my external clients to connect to ES and mutually authenticated. Moreover, user that is part of CN on the certificate should have special roles assign to it.
Maybe there are two things - authentication and authorization. Authentication indeed covered by mTLS which is under basic license however authorization (association of roles to specific user defined in CN) requires pki realm.
This is what suggested by the ikakavas on page you mentioned (Mutual tls/ssl on elasticsearch - #3 by SukeshGupta)
Is my understanding correct?