Alex,
1. No, you cannot do PKI + LDAP. However PAM does support importing PKI users from an LDAP, making it possible to use the LDAP to control what PAM groups a user belongs to, and thus what systems they may access.
2. Yes, certificates of the correct type, when loaded into the Windows user store (not sure where to load it for linux/mac), may be used for PKI authentication. The certificate must be issued by a CA that it is trusted by PAM or it will not be presented for login. Of course certificates used this way are not considered 2FA; which is likely your reason for question 1?
PAM does support SAML authentication if you need a more flexible authentication scheme. With a simple SAML configuration you can offload your authentication to a popular service like Symantec VIP, where you can really customize the authentication process.
Also note that I have seen success using YubiKey's in Smartcard mode for 2 factor PKI authentication. The key fobs are more expensive than cards, but they don't require as much infrastructure. Worth considering if you have relatively few privileged users.