this is quite specific design question, but in general - yes, it is possible.
AP is capable of both roles - authenticator and authentication server. You may either use LDAP to query user, or forward EAP-TLS requests to NPS
All depends on a required desing.
Let us know if you need more details.