Hmmm. I'm sure browser certs is a well-worn topic, so maybe you could just point me to a proposal/discussion about it, but I don't really see the benefit client keys have over per-user symmetric tokens if each app is its own CA. Symmetric tokens can also be distributed/stored without special browser support.
The cryptosystem required to do per-app certificates is already resident in every mainstream browser; we are literally a UI/UX fix away from having that working.
Meanwhile, to a first approximation, zero people have tokens.
Web servers would have to be retrofitted to sign, distribute, and authenticate client certificates, so there is O(apps) work to be done. For symmetric tokens, each app would just have to store the token in the user DB, and then tell the client to hold it in local storage, which is probably less work for the server admin, and also doesn't require browser support.