It took me awhile to dig up evidence for this, but the closest I can find is that subordinate CA certificates will no longer be allowed to have id-kp-clientAuth EKU [1], however this restriction does not apply to leaf certificates.

[1]: https://googlechrome.github.io/chromerootprogram/#321-applic...