Reverse proxies terminate the TLS session, so the client certificate never makes it to Incus, meaning you’ll forever be untrusted and unable to do anything. That’s unless your reverse proxy works at the TCP level (which is what I do for my clusters).
It’s not so much browser trust as it is user authentication.
Incus doesn’t know what a user is, it doesn’t have the concept of usernames and passwords for authentication. What it has is a list of client certificates which are trusted to interact with it.
Adding the client certificate to the web browser and having your browser use it to connect to Incus is how you authenticate.
(All of the above assumes the default TLS authentication. Those using OpenID Connect don’t use any of that TLS stuff and so can handle http reverse proxies and the like.)