And you need a central online API to validate the token’s validity, which means any system using it needs to be connected to the Internet, and that API needs to be very reliable, kept up-to-date, and DDOS resistant.

Or require the user to enter a PIN like with x509 certs, but then you also need a way for people to reset their PIN when it gets forgotten or compromised which means a huge bureaucratic burden and expense. And between the time of needing a reset and getting it, you’ll be unable to access any services requiring your ID token which will almost definitely cause some people from making payments (if banks change to requiring a digital ID token) and who knows what else.