In my opinion, the use of the idassert-bind parameter allows the proxy server to use its own certificate for authentication and to transmit its DN via SASL EXTERNAL to the backend server.
The TLS options in this parameter specify the paths to the certificates (CERT,KEY,CA) to be used. My interpretation may not be correct.
