Thank you both for providing very detailed information!
This helped me a lot to find out how to get the Apache 2 server working correctly with the Hana Cloud Connector. For everybody who is interested in this: I am going to write a detailed tutorial at on of the public SAP platforms.
In short: The key is, that as mentioned above, the client certificate is sent as an ordinary HTTP header after the SSL connection was established. The name of this header is 'SSL_CLIENT_CERT'.
By default, Apache does not forward this header, because Apache populates an own header with this standardized name. I guess Apache does not set the HCC principal propagation header to prevent some kind of injection attack.
After manually forwarding and validating the 'SSL_CLIENT_CERT' header, everything works as expected.
Thank you all again.
Best Regards,
Martin