Yes, you can use certificate/key authentication with the rest API. Here's a basic workflow for it:

================================================================================
= As the administrative account, create a new root_ca certificate which will be
= used to sign all certificate requests for the user accounts you'd like to be
= able to authenticate
================================================================================

cycrh6rtp20:~/$ curl -iku admin -X POST -d '{"type": "root_ca", "common_name": "MyCompany", "expiry_time": "3652days"}' https://<cluster_mgmt>/api/security/certificates
Enter host password for user 'admin':
HTTP/1.1 201 Created
Date: Fri, 02 Oct 2020 10:07:54 GMT
Server: libzapid-httpd
X-Content-Type-Options: nosniff
Cache-Control: no-cache,no-store,must-revalidate
Location: /api/security/certificates/23c38b55-0497-11eb-b855-005056bb97cc
Content-Length: 3
Content-Type: application/hal+json

{
}cycrh6rtp20:~/$

================================================================================
= Create a certificate signing request for the user that you want. The common_name
= in the request must match the username in ONTAP
================================================================================

cycrh6rtp20:~/$ openssl genrsa -out cert_user.key 2048
Generating RSA private key, 2048 bit long modulus
..................+++
................................................................................................+++
e is 65537 (0x10001)
cycrh6rtp20:~/$ openssl req -sha256 -new -nodes -key cert_user.key -subj /C=US/ST=PA/L=Pittsburgh/O=MyCompany/OU=BestPart/CN=ricky_bobby -out cert_user.csr
cycrh6rtp20:~/$

================================================================================
= Have ONTAP sign the certificate request with the root CA we created earlier
= and save the response to a file
================================================================================

cycrh6rtp20:~/$ curl -iku admin -X POST -d '{"signing_request": "-----BEGIN CERTIFICATE REQUEST-----
MIICsTCCAZkCAQAwbDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlBBMRMwEQYDVQQH
DApQaXR0c2J1cmdoMRIwEAYDVQQKDAlNeUNvbXBhbnkxETAPBgNVBAsMCEJlc3RQ
YXJ0MRQwEgYDVQQDDAtyaWNreV9ib2JieTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAL49TSzQTP3CaBKz461n1UGdiculboS+e76sBbjNVl58mO0qsREi
V8WNSNblZbJGbkz4rotUO4YQIizs0w7iMyQaEgZbysBYG4OXYW6duZg/kCkbpchz
vI/q+Uqbg5WAbS2DyPx0GhfUpxnld2NVoH1yBFG8auJZ7Z2UVkpeFouyfOy6JQAz
oF8fnHCENN7Wh7HlYF0I+mf9KW2HN5790TbgLx6Yaz4uiQ+eK/vWgGFJjTi5Am/x
FbNLnafTL5o6mk9WhqJamYLhxm2FY04Z0RvHtPC5i/30qj8MrfvmI144RvIuBPUz
vyvRv9JzRxfo6C6PCj2XDdWMWVtAJikOXa8CAwEAAaAAMA0GCSqGSIb3DQEBCwUA
A4IBAQB2oMYRhiemhZq5RdtekDKDh6C7QiRclmJUZQuOB9Dac9pwJO/oSC0+668I
TTCdLY+L7YQ96V2X34Pau0HzIiPlxyJm6ZzNf9pXBIeJWwzdG5/LXTQqg/LlT1Rl
utBwemSuBSQdij1EEEpuY+vHkftDTQMkgkOWB5EWlTzzVQzswIFbES/IOyxBY7s9
WD3d/GAD/UHBX5uKYvvm3WKJrf5UifPUJBqm+BjK1qcseCyNFpurRxwUKyjerI0W
oRdRtdjYM7wYZyvT9YlKBUcvNMmkIw0LIFwVhk2hBXM2+BJtGfdeHyFfOujjdRkh
ncnwe1Sy2w8Mi/I6aAh6sM6QtWv5
-----END CERTIFICATE REQUEST-----"}' https://<cluster_mgmt>/api/security/certificates/23c38b55-0497-11eb-b855-005056bb97cc/sign
Enter host password for user 'admin':
HTTP/1.1 100 Continue

HTTP/1.1 200 OK
Date: Fri, 02 Oct 2020 10:15:58 GMT
Server: libzapid-httpd
X-Content-Type-Options: nosniff
Cache-Control: no-cache,no-store,must-revalidate
Content-Length: 1274
Content-Type: application/hal+json

{
  "public_certificate": "-----BEGIN CERTIFICATE-----\nMIIDXDCCAkSgAwIBAgIIFjolasqTdLgwDQYJKoZIhvcNAQELBQAwITESMBAGA1UE\nAxMJTXlDb21wYW55MQswCQYDVQQGEwJVUzAeFw0yMDEwMDIxMDE1NThaFw0yMTEw\nMDIxMDE1NThaMGwxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJQQTETMBEGA1UEBwwK\nUGl0dHNidXJnaDESMBAGA1UECgwJTXlDb21wYW55MREwDwYDVQQLDAhCZXN0UGFy\ndDEUMBIGA1UEAwwLcmlja3lfYm9iYnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\nggEKAoIBAQC+PU0s0Ez9wmgSs+OtZ9VBnYnLpW6Evnu+rAW4zVZefJjtKrERIlfF\njUjW5WWyRm5M+K6LVDuGECIs7NMO4jMkGhIGW8rAWBuDl2FunbmYP5ApG6XIc7yP\n6vlKm4OVgG0tg8j8dBoX1KcZ5XdjVaB9cgRRvGriWe2dlFZKXhaLsnzsuiUAM6Bf\nH5xwhDTe1oex5WBdCPpn/Slthzee/dE24C8emGs+LokPniv71oBhSY04uQJv8RWz\nS52n0y+aOppPVoaiWpmC4cZthWNOGdEbx7TwuYv99Ko/DK375iNeOEbyLgT1M78r\n0b/Sc0cX6Ogujwo9lw3VjFlbQCYpDl2vAgMBAAGjTTBLMAkGA1UdEwQCMAAwHQYD\nVR0OBBYEFBiErwnY2ZaAEuzX/ggjHJ9JMN+bMB8GA1UdIwQYMBaAFAldpMFmjRvm\nPlhx0COQtmtMB/K2MA0GCSqGSIb3DQEBCwUAA4IBAQDBJ3iYfOf5zHj1duych9Z8\nN2S4CJJqUrzYGuP7h+0nQK1wM3QnzUZGuv2h60kZ5lNItS0RbpWxViZNPuFfMvsC\n0hP6M1eLIXl39N1U6c/T4KOUZBOwW50kRLp5jJycMTNLrbE+g+43JbP94Y5f/JN4\n/HdwXnodCFslPSHj+x/5IFLTL6aCBD0b+6DW5DYHd6jORxN0xYlEzI5SxKdRlbAp\nBpJYEUZg1DK84Ojb9fuLOUeFvFA4oSpoH/nbqtGlGmODrzzZTZs8IU9/C4kXC/qC\n37fjbviTn/aQbMxIpW3jfAWsVcMohvfL+lUnZ8hmtZDXLuxvFu3C/MHLIuUuTX2x\n-----END CERTIFICATE-----\n"
}cycrh6rtp20:~/$ echo -e "-----BEGIN CERTIFICATE-----\nMIIDXDCCAkSgAwIBAgIIFjolasqTdLgwDQYJKoZIhvcNAQELBQAwITESMBAGA1UE\nAxMJTXlDb21wYW55MQswCQYDVQQGEwJVUzAeFw0yMDEwMDIxMDE1NThaFw0yMTEw\nMDIxMDE1NThaMGwxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJQQTETMBEGA1UEBwwK\nUGl0dHNidXJnaDESMBAGAUECgwJTXlDb21wYW55MREwDwYDVQQLDAhCZXN0UGFy\ndDEUMBIGA1UEAwwLcmlja3lfYm9iYnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\nggEKAoIBAQC+PU0s0Ez9wmgSs+OtZ9VBnYnLpW6Evnu+rAW4zVZefJjtKrERIlfF\njUjW5WWyRm5M+K6LVDuGECIs7NMO4jMkGhIGW8rAWBuDl2FunbmYP5ApG6XIc7yP\n6vlKm4OVgG0tg8j8dBoX1KcZ5XdjVaB9cgRRvGriWe2dlFZKXhaLsnzsuiUAM6Bf\nH5xwhDTe1oex5WBdCPpn/Slthzee/dE24C8emGs+LokPniv71oBhSY04uQJv8RWz\nS52n0y+aOppPVoaiWpmC4cZthWNOGdEbx7TwuYv99Ko/DK375iNeOEbyLgT1M78r\n0b/Sc0cX6Ogujwo9lw3VjFlbQCYpDl2vAgMBAAGjTTBLMAkGA1UdEwQCMAAwHQYD\nVR0OBBYEFBiErwnY2ZaAEuzX/ggjHJ9JMN+bMB8GA1UdIwQYMBaAFAldpMFmjRvm\nPlhx0COQtmtMB/K2MA0GCSqGSIb3DQEBCwUAA4IBAQDBJ3iYfOf5zHj1duych9Z8\nN2S4CJJqUrzYGuP7h+0nQK1wM3QnzUZGuv2h60kZ5lNItS0RbpWxViZNPuFfMvsC\n0hP6M1eLIXl39N1U6c/T4KOUZBOwW50kRLp5jJycMTNLrbE+g+43JbP94Y5f/JN4\n/HdwXnodCFslPSHj+x/5IFLTL6aCBD0b+6DW5DYHd6jORxN0xYlEzI5SxKdRlbAp\nBpJYEUZg1DK84Ojb9fuLOUeFvFA4oSpoH/nbqtGlGmODrzzZTZs8IU9/C4kXC/qC\n37fjbviTn/aQbMxIpW3jfAWsVcMohvfL+lUnZ8hmtZDXLuxvFu3C/MHLIuUuTX2x\n-----END CERTIFICATE-----\n" > cert_user.crt
cycrh6rtp20:~/$

================================================================================
= Create a user account in ONTAP with a username matching our certificate's
= common name
================================================================================

cycrh6rtp20:~/$ curl -iku admin -X POST -d '{"name": "ricky_bobby", "applications": [{"application": "http", "authentication_methods": ["cert"]}]}' https://<cluster_mgmt>/api/security/accounts
Enter host password for user 'admin':
HTTP/1.1 201 Created
Date: Fri, 02 Oct 2020 10:19:34 GMT
Server: libzapid-httpd
X-Content-Type-Options: nosniff
Cache-Control: no-cache,no-store,must-revalidate
Location: /api/security/accounts/2327973e-ff18-11ea-9dc7-005056bb97cc/ricky_bobby
Content-Length: 3
Content-Type: application/hal+json

{
}cycrh6rtp20:~/$

================================================================================
= Now we can authenticate to the API as our user by passing our certificate and key
================================================================================

cycrh6rtp20:~/$ curl -ik --cert cert_user.crt --key cert_user.key https://<cluster_mgmt>/api/cluster?fields=version
HTTP/1.1 200 OK
Date: Fri, 02 Oct 2020 10:20:37 GMT
Server: libzapid-httpd
X-Content-Type-Options: nosniff
Cache-Control: no-cache,no-store,must-revalidate
Content-Length: 221
Content-Type: application/hal+json

{
  "version": {
    "full": "NetApp Release Cloudwalker__9.9.0: Mon Sep 28 12:10:37 UTC 2020",
    "generation": 9,
    "major": 9,
    "minor": 0
  },
  "_links": {
    "self": {
      "href": "/api/cluster"
    }
  }
}cycrh6rtp20:~/$

================================================================================
= If you want to limit the scope of the user and what they can do, you can change
= the user's role from admin to something custom that has only the permissions
= you want
================================================================================

cycrh6rtp20:~/$ curl -iku admin -X POST -d '{"name": "volume_reader", "privileges": [{"access": "readonly", "path": "/api/storage/volumes"}]}' https://<cluster_mgmt>/api/security/roles
Enter host password for user 'admin':
HTTP/1.1 201 Created
Date: Fri, 02 Oct 2020 10:25:52 GMT
Server: libzapid-httpd
X-Content-Type-Options: nosniff
Cache-Control: no-cache,no-store,must-revalidate
Location: /api/security/roles/2327973e-ff18-11ea-9dc7-005056bb97cc/volume_reader
Content-Length: 3
Content-Type: application/hal+json

{
}cycrh6rtp20:~/$
cycrh6rtp20:~/$ curl -iku admin -X PATCH -d '{"role": {"name": "volume_reader"}}' https://<cluster_mgmt>/api/security/accounts/2327973e-ff18-11ea-9dc7-005056bb97cc/ricky_bobby
Enter host password for user 'admin':
HTTP/1.1 200 OK
Date: Fri, 02 Oct 2020 10:26:50 GMT
Server: libzapid-httpd
X-Content-Type-Options: nosniff
Cache-Control: no-cache,no-store,must-revalidate
Content-Length: 3
Content-Type: application/hal+json

{
}cycrh6rtp20:~/$

================================================================================
= Now our previous cluster API call will fail, but we can still get a list of
= volumes from the API
================================================================================

cycrh6rtp20:~/$ curl -ik --cert cert_user.crt --key cert_user.key https://<cluster_mgmt>/api/cluster?fields=version
HTTP/1.1 403 Forbidden
Date: Fri, 02 Oct 2020 10:27:30 GMT
Server: libzapid-httpd
X-Content-Type-Options: nosniff
Cache-Control: no-cache,no-store,must-revalidate
Content-Length: 86
Content-Type: application/hal+json

{
  "error": {
    "message": "not authorized for that command",
    "code": "6"
  }
}cycrh6rtp20:~/$ curl -ik --cert cert_user.crt --key cert_user.key https://<cluster_mgmt>/api/storage/volumes?return_records=false
HTTP/1.1 200 OK
Date: Fri, 02 Oct 2020 10:27:58 GMT
Server: libzapid-httpd
X-Content-Type-Options: nosniff
Cache-Control: no-cache,no-store,must-revalidate
Content-Length: 119
Content-Type: application/hal+json

{
  "num_records": 5,
  "_links": {
    "self": {
      "href": "/api/storage/volumes?return_records=false"
    }
  }
}cycrh6rtp20:~/$