Dovecot authentication with hardware key ( yubikey )

Recently, I've been working on implementing hardware keys for authorization in dovecot/postfix and unfortunately, perhaps due to lack of knowledge, I wasn't able to implement it. From what I've seen, yubikey has the ability to use private keys (I found in the dovecot documentation that it can verify the client certificate) but unfortunately I have no idea how to implement it, because how would yubikey pass the certificate/private key to thunderbird and then this to dovecot. There is also postfix. At the moment we have a mail server that is synchronized with active directory and takes passwords from there, while the users are virtual ( vmail, and thats why PAM isn't the way ). Postfix authorizes over SASL. On windows server active directory we already have it tested and working (based on hardware key certificate). Are you able to propose a solution where we could have authorization with a hardware key (there may be a certificate, even the best would be because of authorizations in the active directory)?