macOS 802.1x using *existing* certificate

Hi - we have Jamf joined Macs happily running with machine certificates issued by the Jamf CA. We have our 802.1x auth on wifi configured to allow those. If a user enters the wifi properties manually (hidden network so join other, type name, pick WPA2 Enterprise, pick TLS, select certificate etc) things work fine.

I just need a way to automate this. The payload generation / syntax only seems to allow this if an additional certificate is being requested via SCEP in the same .mobileconfig file - there does not seem to be any way to indicate a certificate to use that is already present. Side note: Jamf is supposed to be SCEP based and I don't really have heartburn creating another cert - but nobody at Jamf seems able to figure out how to do that so I'm trying to just automate what a user can do manually. The network setup command has been neutered so I have to use a profile to configure any of this - or is there another way? And the profile bits don't like me at all. Help!

Oh - and we are NOT using active directory for any of this (nor do we want to) so a raspberry for anybody who gives that example its not helping :-)