I was wrong about the CertificateRequest piece. The answer is very much unclear.
The code currently interprets the use of resumption as a reason not to permit a CertificateRequest, but it's not clear that this is unsupported.
The spec seems to be clear about external PSKs:
Implementations MUST NOT combine external PSKs with certificate-based authentication of either the client or the server unless negotiated by some extension.
However, it also seems to contradict this with a more general statement:
Servers which are authenticating with a PSK MUST NOT send the CertificateRequest message in the main handshake, though they MAY send it in post-handshake authentication (see Section 4.6.2) provided that the client has sent the "post_handshake_auth" extension (see Section 4.2.6).
That reads like a contradiction to me, and I can't resolve it.
I believe that the intent of the first is to exclude the combination of an external PSK and certificate during the handshake. This text was added specifically to allow for RFC 8773 to be published.
The second is consistent with this interpretation regarding the combination during the handshake. Where it is unclear is with respect to post-handshake authentication. It basically allows post-handshake authentication, even if you have an external PSK. That's consistent with what we learned in analysis of the protocol: if you let the server ask the client for a certificate without also offering its own certificate then the attack discovered by Sam Smith et. al. applies.
But this leaves the functioning of post-handshake authentication ambiguous as it relates to the use of resumption PSKs. I think that the first quote supports the view that you can't use it with an external PSK. But the second could be read to allow it more generally. It might be time to take this to the TLS WG.