802.1x certificate-based authentication at layer 2 is a good defense in depth strategy.
Edit: oh wait, you mean have the applications check the certificate? Yes, but then you need support from the application. Does your printer do that, for example? You need to make sure everything does. You can of course do both.