[45h34jh53k4j]

Nah it's not the same thing. Client Authenticated TLS provides a mutually authenticated channel. Mutually authenticated channels cannot be man-in-the-middled. The auth is happening at the transport layer.

A login through a QR code (basically a token) is just normal TLS with the same MiTM risk. Its just an application layer login.

[geofft]

I don't understand the security argument you're making. Are you claiming that, if I use client certs, I am protected against a rogue CA issuing a fake certificate for web.whatsapp.com? How?

If you're thinking of a protocol like Kerberos, then yes, you can derive a shared secret because there's a single-point-of-trust authentication entity (the KDC) which has knowledge of both your password and the server's password/key, and yes, your password certifies that you're talking to the right server (as long as the KDC is trustworthy). But that's not how TLS mutual auth works.