@average-helicopter-96869 your and mine version are pretty much identical. The only differences I have are:

# Remove the ports section from container mq as we keep it all internal
    labels:
      - "traefik.enable=true"
      # TCP Routers
      - "traefik.tcp.routers.netmaker-mq-rtr.entrypoints=mq-secure"
      - "traefik.tcp.routers.netmaker-mq-rtr.rule=HostSNI(`broker.${NM_BASE_DOMAIN}`)"
      - "traefik.tcp.routers.netmaker-mq-rtr.tls=true"
      - "traefik.tcp.routers.netmaker-mq-rtr.tls.passthrough=true"
      - "traefik.tcp.routers.netmaker-mq-rtr.tls.options=tls-mq@file"
      - "traefik.tcp.routers.netmaker-mq-rtr.tls.certResolver=dns-cloudflare"
      - "traefik.tcp.routers.netmaker-mq-rtr.tls.domains[0].main=${NM_BASE_DOMAIN}"
      - "traefik.tcp.routers.netmaker-mq-rtr.tls.domains[0].sans=*.${NM_BASE_DOMAIN}"
      - "traefik.tcp.routers.netmaker-mq-rtr.service=netmaker-mq-svc"
      # TCP Services
      - "traefik.tcp.services.netmaker-mq-svc.loadbalancer.server.port=8883"

And the tls-mq@file refers to a dynamic yaml traefik configuration file to reference the client certs:

tls:
  options:
    tls-mq:
      minVersion: VersionTLS12
      sniStrict: true
      clientAuth:
        caFiles:
          - /etc/traefik/certs-mq/root.pem
        clientAuthType: RequireAndVerifyClientCert

And in the traefik container section, add/change the following:

command:
  "--entrypoints.mq-secure.address=:8883"
ports:
  - "8883:8883"   # export MQ port on Traefik
volumes:
  - /PATHTO/certs/:/etc/traefik/certs-mq/     # where root.pem is located for MQ