From my experience it's a popular security requirement to stipulate backend traffic use mutual-TLS (doesn't actually exist as a concept, it's just TLS with a client certificate..) except that usually devolves to self-signed certs, hence doesn't quite have the revocation benefits of a real PKI.
It's also a slightly different use case from normal PKI for browsers, CRL (Certificate Revocation List) lose lots of their value and OCSP become much more useful.
For most developers a full-blown HSM is too expensive, e.g. Gemalto is $50k a year or something? Whereas a YubiHSM is a one-off purchase of ~ $700. This is much more appealing.
This follows pages 366-376 of Bulletproof TLS pretty closely. It's recommended reading.
The accompanying blog post for this repo on josephkirwin.com will have some extra info on roles in the HSM and dettail 1 or 2 shortcomings.