Certificate-based authentication in IPSec seems to assume that remote endpoints will be using template-based policies without a fixed IP address structure on the remote end. If we want to use x.509-based authentication for lan-to-lan VPNs with a fixed set of subnets on the remote side, we must trust the remote side to be honest about the ID (FQDN) it sends or we must manually upload a unique certificate for each endpoint, and maintain this as certificates are replaced for whatever reason. The whole point of x.509 is to avoid this overhead.
For example, if a remote site router was stolen, the configuration could be changed to use any valid certificate to impersonate any other remote site by changing the FQDN specified in the configuration. It would be preferable to be able to specify a specific certificate subject name to match in the identity, which then allows us to lock in the specific policy to be tied to the connection.