Certificate-Bound Access Tokens are a more secure way to authenticate OAuth 2.0 clients. They add a security layer when using access tokens for authorization.
If an OAuth client uses mutual TLS when connecting to the OAuth AS, the AS binds the issue Access Token to the client certificate used client certificate. This is done by storing a hash value of the client certificate as JWT cnf
claim. End-points verifying the Access Token may assure that the correct client certificate is used and thus ensure that it is used by the legitimate OAuth Client only.