There’s nothing special about a “client certificate” —- they’re not (necessarilly) any different than a TLS server certificate. Technically a relying party might check that a client certificate includes the “client auth” key use, but most (all?) commercial certificates issued for TLS/HTTPS servers do this (I know Let’s Encrypt does).
So... what they’re asking for isn’t actually anything fancy. Just go buy a normal certificate like you would for any other server (or get one for free from let’s encrypt).
In fact, if they want a cert that is signed by a CA that “works in browsers by default” it must be the case that what they’re looking for is a vanilla commercial “Web PKI” certificate. This must be true because the CA/Browser Forum requirements that commercial CAs are audited against stipulate that CAs are only allowed to sign vanilla certificates. They can’t sign anything fancier.
It sounds like what the vendor you talked to was trying to sell you was a commercial CA that they manage for you. In other words, your own root certificate authority. Those certificates would not be trusted by browsers by default. There’s no reason to pay for that — you could just run a CA yourself and do the same thing. In fact I contribute to an open source project[1] that does exactly that, if that’s what you end up needing.
[1] https://github.com/smallstep/certificates
