Client certificates are still used in enterprises. There are a few downsides though:
1. Prior to TLS 1.3, client certificates were sent in the clear. Anyone watching the TLS handshake could know exactly who was using a site. TOTP/HOTP/WebAuthn have always happened after the TLS session was established, preventing this eavesdropping. This isn't a big deal for enterprise uses, but can be unwanted to users who are expecting privacy.
2. Client certificates can easily be stolen by malware on OSs that provide no isolation between user apps. If the browser running under a user's account can access the client certificate, so can malware. Most phone OSs have strong isolation between apps, and WebAuthn tokens typically require a user's touch, so the tokens are more inaccessible to malware. However, TOTP/HOTP/WebAuthn are not without their own weakness here too; malware can steal the browser's cookies on OSs that don't provide isolation between user apps.
Outlawing all USB would be difficult. Most computers rely on USB for keyboard/mouse. Most OSs today provide enterprises with a way to list the USB device classes that are allowed to be connected. Anything not listed (USB storage, for example) should be blocked by the OS.