Client Certificate Authentication and Kerberos Delegation

I am trying to enable a topology where:

1. Non domain-joined client (smartphone, non-Windows browser, etc.) authenticates via client cert to IIS 8
2. IIS 7.5 performs clientCertificateMappingAuthentication to match the certificate subject to an AD user
3. The user is then impersonated on an ASP.NET thread
4. The user's identity is delegated to a back end service - SQL, in this case.

I have 1-3 working.   Requirement 4 escapes me (though it will work for HTTP basic authentication and Windows authentication).

I have enabled failed request tracing and don't see any IIS errors, the SQL connection just tries to open anonymously and fails.  The same page request works (SQL request authenticates) if I just ignore client certs on the IIS site.

This is just a delegation issue.  The app pool identity is mapped to an SPN and trusted for delegation (all protocols) to the service in question:

userPrincipalName: service-kerbtest@xyz.qa1
servicePrincipalName: http/kerbtest.xyz.qa1
msDS-AllowedToDelegateTo: MSSQLSvc/bcaps.dbs.xyz.qa1:1433

Here you can see some evidence the the client-IIS authentication is working. 

WindowsIdentity (AppPool process: 2636):
WindowsIdentity (current thread): XYZQA1\Hugh.Kelley
AuthenticationType: Kerberos
IsAuthenticated: True

Connecting to:
Server=bcaps.dbs.xyz.qa1;Integrated Security=SSPI;Initial Catalog=master;

Error Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

Page User: XYZQA1\Hugh.Kelley
Page AuthenticationType: SSL/PCT

From web.config:

    <system.webServer>
        <security>
            <authentication>
                <windowsAuthentication enabled="true" />
            </authentication>
        </security>
    </system.webServer>

From applicationHost.config:

    <location path="kerbtest.xyz.qa1">
        <system.webServer>
            <security>
                <access sslFlags="Ssl, SslNegotiateCert" />
                <authentication>
                    <anonymousAuthentication enabled="false" />
                    <clientCertificateMappingAuthentication enabled="true" />
                    <basicAuthentication enabled="false" />
                </authentication>
            </security>
        </system.webServer>
    </location>
    <location path="kerbtest.xyz.qa1" overrideMode="Allow">
        <system.webServer>
            <security>
                <authentication>
                    <windowsAuthentication>
                        <providers />
                        <extendedProtection />
                    </windowsAuthentication>
                </authentication>
            </security>
        </system.webServer>
    </location>