We have a replica set of 3 nodes. Each nodes authenticates using x509 certificates. Some clients also authenticates using x509 certificates. Everything works if certification path is like this:
root_ca -> certificate

but if certification path is
root_ca -> intermediate_ca -> certificate

the C# driver cannot connect using x509 auth. Python, mongo command can connect using same certificate just fine. Upon further investigation i assume C# client only sends single certificate for validation. 

relevant code part used for testing:

                    var certificateCollection = new X509Certificate2Collection();
                    certificateCollection.Import(certificatePath);
                    var certificateList = certificateCollection.Cast<X509Certificate2>().ToList().OrderByDescending(c => c.HasPrivateKey);
                    settings.SslSettings = new SslSettings {
                        ClientCertificates = certificateList,
                        CheckCertificateRevocation = false,
                    };

certificatePath: location of pfx file containing intermediate CA cert and client cert with key

List contains two X509Certificate2 objects. if first certificate in list is intermediate CA, error on mongodb server is:
Failed to authenticate CN=xsuser@$external with mechanism MONGODB-X509: AuthenticationFailed: There is no x.509 client certificate matching the user.

But if first certificate in list is client certificate (second intermediate certificate), mongodb says: 
SSL peer certificate validation failed: unable to verify the first certificate

since mongo command and python client with same certificate chain can connect just fine i assume C# driver has something to do with it. Or maybe i'm  missing something about client configuration regarding x509 auth with intermediate CA? There is no documentation specific about intermediate CA.