Nginx give ssl_client_verify ok with expired client certificate

Question

I am testing mTLS with nginx ingress and I have a working scenario. Now I'm trying to see what happens with an expired client certificate:

Validity
  Not Before: Oct 13 20:05:00 2022 GMT
  Not After : Oct 13 21:05:00 2022 GMT

Curl's output is:

* Server certificate:
*  subject: C=ES; ST=Madrid; L=Madrid; O=My company; OU=My OU
*  start date: Oct 12 09:31:00 2022 GMT
*  expire date: Oct 10 09:31:00 2028 GMT
*  subjectAltName: host "thirdparties.mydomain.com" matched cert's "thirdparties.mydomain.com"
*  issuer: C=ES; L=Madrid; O=My company; OU=My OU; CN=Thirdparties CA
*  SSL certificate verify ok.
> POST /foo HTTP/1.1
> Host: thirdparties.mycompany.com
> User-Agent: curl/7.79.1
> Accept: */*
> Content-Type: application/json
> Content-Length: 1012
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 400 Bad Request
< Server: nginx/1.21.5
< Date: Fri, 14 Oct 2022 16:47:30 GMT
< Content-Type: text/html
< Content-Length: 215
< Connection: close
<
<html>
<head><title>400 The SSL certificate error</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The SSL certificate error</center>
<hr><center>nginx/1.21.5</center>
</body>
</html>

The nginx is giving the SSL certificate as OK so I cannot use the $ssl_client_verify variable for my purpose of giving a custom error page in json format.

I need to give the response always in json format. Customizing a 400 error page is not possible, any attempts to capture the error have been useless and always returns the error in the same format. This is my virtualserver spec

spec:
  host: thirdparties.mycompany.com
  policies:
  - name: nginx-virtualserver-thirdparties-policy
  routes:
  - action:
      pass: myapi-api
    location-snippets: if ($ssl_client_verify != SUCCESS) { return 495; }
    path: /foo
  - action:
      return:
        body: |
          {\"code\": \"BAD_REQUEST\", \"message\": \"Client certificate error\"}
        code: 495
        type: application/json
    path: /bar # force error even with good certificate
  server-snippets: |
    if ($ssl_client_verify != SUCCESS) {
      return 495;
    }
  tls:
    secret: nginx-virtualserver-thirdparties
  upstreams:
  - name: my-api
    port: 8000
    service: my-api