I'd like to only allow requests to an HTTP-triggered Azure Function that include a well-known client-certificate.
I do not want requests forwarded to the Azure Function that are not "approved".
Client-certificate mode to Require
Where is the Trust Store in Azure where I can store these well-known, client public certificates?
Host your azure functions behind an APIM then you can use APIM to manage your client certificates. You can then use the Client Certificates page in the azure portal to upload your client certificates to the APIM resource and configure the APIM policy to only allow trusted clients.
For setting up APIM over your azure functions see : https://docs.microsoft.com/en-us/learn/modules/build-serverless-api-with-functions-api-management/
For using client certificates to secure access to an API : https://docs.microsoft.com/en-us/learn/modules/control-authentication-with-apim/4-secure-access-client-certs