By default when you install OpenDJ with a self-signed cert and enable StartTLS on the LDAP port, the client auth policy for the LDAP connection handler is set to optional:
optional - Clients are requested to provide their own certificates when performing SSL negotiation, but still accept the connection even if the client does not provide a certificate.
As Chris Ridd found, and then I reproduced, when you set up client certificate authentication as described in CR-1234, the result is LDAP 49.
If you set ssl-client-auth-policy: required for the handler, and try again, the bind is successful.
Oddly enough, if you change the value – I changed it a couple of times – and set it back to optional, then the bind is successful, too. Chris restarted OpenDJ and saw it work, but I saw it work without restarting the server.
The expected behavior would be that it works with ssl-client-auth-policy: optional out of the box.