No, clientcert=verify-ca forces the server to check the client's certificate. Forcing the client to check the server's certificate must be done on the client end. (And of course if you are not connecting via that line of the pg_hba, then that setting doesn't do anything.)
I didn't say the client was meant to enforce it. I meant the server should be enforcing it (it's not).
Well, if it isn't enforcing ssl in the first place, it certainly can't be enforcing clientcert. Worry about making sure your current version of pg_hba is actually in use first, then the clientcert issue should take care of itself. You still can't start debugging the one (in the unlikely event it still needs debugging) until after you fix the other.
