The primary difference is that you can have short-lived certificates, but ssh-keys are eternal. If you fail to remove one, it sticks around and may come back to bite you if compromised at a later point. Certificates expire, after which they’re useless to an attacker.
One of nice options in recent versions of OpenSSH is the "expiry-time" key option you can put in authorized_keys. There are also other options handy to restrict the usage of the key, for example you can limit the key to be used only as a jump host. One can combine them so the users on the jump host will not be able to execute any command and even not able to edit authorizd_keys file and remove the "expiry-time" option.
