I am researching Proof of Possession for API authentication as a means of reducing the impact of credential their:

https://ben3d.ca/blog/proof-of-possession-api-tokens

It's an important problem but how does this differ from TLS client certificates?