Bound Access Tokens : is it also mandatory to add X.509 client certificate authentication to browser flows?

Hello,

I would like to use Bound Access Tokens
but i would like to know if I also need to add X.509 client certificate authentication to browser flows ?

In other words, does it work only when a client is authenticated by KeyCloak thanks to a X.509 client certificate ?

The underlying question is : is the token bound to a device certificate or a user certificate ?

Regards