Onboard certificates are marked as non-exportable so it would be very
difficult to export the certificate.
You can layer on profiling conflict checks as well as potentially do a MAC
check against the MAC address embedded in the cert. Remember that the
certificate takes the place of only the password. You should leverage the
authorization phase to look at other information about the device and user.