Read this earlier post on Web Services Security.
There are a couple of major difference between a token and a certificate.
Tokens are essentially a symmetric key. That means that the same key has to be both on the client and the server to be able to authenticate users.
Certificates use an asymmetric set of keys. Certificates are based on public-key cryptography and the client has one key (the private key) that is never shared by anyone else.
The public key is sent to the Certificate Authority to be signed and stamped into a certificate. When a client connect to the server it actually signs something using the private key (the one never shared). When client SSL is used it signs a Challenge that’s sent by the server and if WS-Security is used the client actually signs the whole message that’s sent. The client then uses the certificate (that included the public key) and verifies that it’s signed by the specific key that the client has (using public-key cryptography).