SERVER-41069, allowRolesFromX509Certificates was added as a switch to enable or disable the use of x509 authorization extensions for the entire mongod/mongos process.
This is not granular enough for the use case where mongod is running with multiple CAs, some trusted and some un-trusted. An un-trusted CA would be allowed to issue client certificates but the authorizations must still be controlled by the MongoDB database user. A trusted CA would be allowed to issue certificates with x509 authorization extensions.
Ideally instead of allowRolesFromX509Certificates being a boolean there would instead be a way to pass MongoDB a list of trusted CAs.