[Arnavion]

It doesn't. The way client certs are useful is that a website that only uses client certs for authenticating clients removes the ability for the client's credentials to be leaked.

Even if the user uses the client cert with a phishing site, the phishing site doesn't have the ability to impersonate the user against the real site because the private key is still on the client's device.

In addition, if a browser is configured to automatically use a client cert for all requests to a particular domain, then even that leak doesn't happen because the browser would automatically not use the cert with the phishing domain.