I just want to confirm exactly what you mean by your question, so that I know I am answering the right thing. You have mentioned both QMGR-QMGR channels and client connected applications. Then you have asked, "how do we authenticate the application (userid) putting the message on the remote system, when we only have the inbound message?".
Do you wish to apply authentication on the remote system? Do you have control of the remote system? Or do you wish to apply authentication to the message that was already put on the remote system, and has travelled to your own system over a QMGR-QMGR channel - is that what you mean by "inbound message"?
I assume from your statement of zero trust when talking about clients, you perhaps also have zero trust between the remote queue manager and your queue manager? Is that correct? Is that where your question comes from? You have no trust over the authentication done on the remote system and you want to apply your own authentication locally as the message arrives over the QMGR-QMGR channel?
As @Mark Taylor has already noted, Advanced Message Security (AMS) is one of the ways you can authenticate a message coming from another system. This is authenticating the sender of the message by their Distinguished Name (DN) from their certificate. It does not touch or change the user ID inside the message.
Do you currently use the user ID inside the message for authorization purposes downstream? Do you need to ensure the user ID inside the message conforms to some set of rules? Does your channel use it for target queue authorization checks? If not, AMS may be all your need. If you need to alter the user ID to be something else, then you will need to look into a Message Exit.