I don't know of any switches that are 802.1x supplicants, so Option A is probably out. So between Options B and C, the primary difference is cost. I imagine rewiring your office is both expensive and disruptive, vs the cost and the hassle of managing all those new switches.
The real question you should be asking is, what threat am I defending against, and what is the real risk? Are you really worried that someone might sneak into your building (I have no idea what kind of office you're in or where it is) and plug in an unknown device? Why would they do that? The question should not be "is it possible," but "is it a significant risk worth the cost of rewiring or buying new switches?"
As an example, in the office I'm currently working (a quasi-government agency), we do not have 802.1x. In theory, anyone can plug a device into the network. But in order to do so, you first have to get by the guards at the entrance, and you would need a badge with a card key. If you are an employee, you would know that there is a policy prohibiting unauthorized devices on the network.
Clearly, if you really, really wanted to, you could bypass all these controls. But management has decided that these controls are sufficient, given the risk to the network. Frankly, if you really wanted something on our network, it would be easier to pwn a machine and steal it remotely. That way, you could take your time and avoid the risk of detection and arrest.
My point is: just because you have a shiny new 802.1x system for wifi, it doesn't mean you need it for your wired network. Or if you do decide to use it, tamper-proof boxes, etc, may not be necessary. You (and management) need to weigh the risk against the cost of new switches, wiring, maintenance and reliability (what happens if your RADIUS server crashes? Does that block all network access?).
Maybe you work in a high-security environment where all these controls are necessary. But I'm guessing you have a solution looking for a problem. Best to weigh the risk vs cost. That analysis will allow you to justify the costs (monetary and operational) to management.
It looks like, "No". There's nothing specific in TACACS+ to transport a certificate exchange, however an ASCII data payload could suffice. (the RFC is a decade old) The real question is if ACS has any method to handle it? And that also appears to be "no". The only mention I can find to PKI or certificate based authentication is for EAP-TLS, which is not what you want.
Update
I found a single reference in IOS-XR documents:
Note The preferred method of authentication would be as stated in the SSH RFC. The RSA based authentication support is only for local authentication, and not for TACACS/RADIUS servers.
Best Answer
The short answer is no, because the SSH authentication happens before the login authentication (where the TACACS server is contacted).
Even if it were possible to download the certificate, you would then have the problem of verifying that the device that downloaded it is in fact the right switch.
I suspect having the certificate on the switch is relatively low risk. It would be very, very difficult (but not impossible) to steal the private key to impersonate the switch.