How do you ensure someone else didn’t just create a new cert with the same user id? At the minimum there needs to be a step to sign the public key (with another flow to prove csr requester identity) Do you see how this a lot more moving pieces than oauth the user needs to figure out?

If you’re suggesting to just store a cert thumbprint that means a db call on every request - no different than just a secret token.