I am trying to access eSign application of the smart card. If I understood correctly for that I first need to authenticate as Signature Terminal (ST) during PACE. (Because currently if I try to select eSign application I get file not found.)

This is the APDU I am sending during MSESetAT to achieve that:

0x00 - instruction class
0x22 - instruction code
0xC1 - p1
0xA4 - p2
0x20 - length

0x80 - oid tag
0x0A - oid length
0x04, 0x00, 0x7F, 0x00, 0x07, 0x02, 0x02, 0x04, 0x02, 0x04 - PACE oid

0x83, 0x01, 0x02 - CAN password id

0x7F, 0x4C - Certificate Holder Authorization Template
0x0E - length
0x06 - oid tag
0x09 - oid length
0x04, 0x00, 0x7F, 0x00, 0x07, 0x03, 0x01, 0x02, 0x03 - id-ST oid (0.4.0.127.0.7.3.1.2.3)
0x53 - tag for data
0x01 - length of data
0x03 - 2 lowest bits set for generating qualified electronic signature, and electronic signature
0x00 - expected response length

The response I get is sw1 - 0x6A, sw2 - 0x80 which corresponds to: Incorrect parameters in the data field.

However, if I swap the id-ST oid with id-AT oid: 0x04, 0x00, 0x7F, 0x00, 0x07, 0x03, 0x01, 0x02, 0x02, it succeeds and I get sw1 - 0x90, sw2 - 0x00

Am I forgetting something or is it maybe not even possible to achieve over NFC?

The smart card I am trying with is a national ID card of Croatia, and I am following TR-03110 specifications.