Per the discussion in https://support.zabbix.com/browse/ZBXNEXT-6328 this is a feature request to add client certificate-based authentication to TLS connections with MQTT.  This is required to use the AWS IoT Core service.

In order to achieve this, the MQTT plugin will need to call tls.LoadX509KeyPair() with paths to the client cert and key, create a TLS Config object containing that configuration, then set the TLS config as an MQTT option using SetTLSConfig(). 

I have attached a patch that does this by treating a username and password that begins with a '/' as a path to a cert/key to be loaded into TLS.  It may make sense to add additional checks that confirm a username starting with a '/' is actually a file before loading it, but I didn't add code for that to my proof-of-concept.