From RFC 8705.

Mutual-TLS certificate-bound access tokens ensure that only the party in possession of the private key corresponding to the certificate can utilize the token to access the associated resources. Such a constraint is sometimes referred to as key confirmation, proof-of-possession, or holder-of-key and is unlike the case of the bearer token described in [RFC6750], where any party in possession of the access token can use it to access the associated resources. Binding an access token to the client's certificate prevents the use of stolen access tokens or replay of access tokens by unauthorized parties.

In practice, if the client establishes a mTLS connection using a valid certificate, the thumbprint of that certificate will be included in the Access Token. When the client requests protected resources using that Access Token, it must establish a mTLS connection using the same valid certificate. If not, the request is rejected.