To resolve this issue, make sure the client certificate is installed in the Windows 'User' certificate store and not the 'local machine' store, following the screenshot below:

By default, the FortiClient can only display the client certificate when it is imported under the user store. If the certificate is imported into the 'Local Machine' store, it requires the following configuration added in the FortiClient to apply the certificate on the x.509 certificate option:

SSL VPN:

1. Edit the FortiClient backup configuration file.
2. Search for <sslvpn>.
3. Under <options>, add one extra line:

<allow_standard_user_use_system_cert>1</allow_standard_user_use_system_cert>

This option has a Boolean value of '0' by default, which simply means this option is disabled by default.

Dial-up IPsec tunnel:

By default, even if the certificate is already installed on the machines, it cannot be selected on the x.509 certificate drop-down. 

To apply the certificate for each IPSEC dial-up remote access profile:

1. Edit the FortiClient backup configuration file.
2. Search for <name> YOUR_IPSEC_PROFILE_NAME <name>
3. Under <ike_settings> add one extra line: <run_fcauth_system>1</run_fcauth_system>.

Here is the sample snippet for the XML file after adding the <run_fcauth_system>1</run_fcauth_system>.

This option has a Boolean value of '0' by default, which simply means this option is disabled by default.

After restoring the updated XML file, the installed PKI certificate is now selectable and can be properly referenced within the configuration.