If I create a SslStream instance like this:

secureStream = new SslStream(stream, true, tlsRemoteCallback, tlsLocalCallback);

And then I use one of the AuthenticateAsServer or BeginAuthenticateAsServer methods, is it at all possible for the LocalCertificateSelectionCallback (tlsLocalCallback) to be invoked? And if so, how?

I'm under the impression this isn't possible, because the AuthenticateAsServer method requires an X509Certificate parameter. And if you pass null, then it throws an exception. But I want to be certain since I'm trying to write a socket API for other developers on my team to use.

Are you trying to have secureStream pick which certificate it uses to authenticate itself with the client?

I don't think that is possible. Doing some Reflectoring, I see that the delegate ultimate goes to a "m_CertSelectionDelegate" in System.Net.Security.SecureChannel. A quick analysis of this variable seems to indicate that it's only using for verifying a server cert or verifying the cert the client gives to mutually authenticate itself.