This is by design. If you allow a user to connect using Credential OR Client Cert, we'd need a username from the client cert.
A workaround is to set the User Name in the Certificate Profile to using the Subject Alt Name of the Certificate. When you generate the Machine Certificate for the Pre-Logon, do NOT put anything in the Subject Alt Name field. This should allow both Machine Cert users (without Cookies) and non-Machine Cert users.
Best practice would be to set-up 2 Portals and 2 Gateways. One with the CertProfile (for your domain trusted machines) and one without (for your contractors).