Token #MUTUAL should work as follow:
#MUTUAL - matches all mechanisms which authenticate the server in some way (this might just mean, making the server prove that the server knows the password); currently matches #FAMILY(SCRAM) and #FAMILY(GS2) but may be adjusted in the future as new mechanisms are available. [1]

However it also incorrectly requires SSL context to be used, in SaslMechanismPredicate.MUTUAL [2] see:

boolean test(final String mechName, final SSLSession sslSession) {
    return sslSession != null && SaslMechanismInformation.MUTUAL.test(mechName);
}

SSL context should not be required for #FAMILY(SCRAM) or #FAMILY(GS2).

[1] https://issues.jboss.org/browse/EAP7-567?focusedCommentId=13408238&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13408238
[2] https://github.com/wildfly-security/wildfly-elytron/blob/03e583dd476dbbdf05e3c852d34e191f181038aa/src/main/java/org/wildfly/security/sasl/SaslMechanismPredicate.java#L185