Hacker can get only the public part of the certificate, which is transferred to the network, while the private part is kept on the user’s device in special storage, which is highly protected by the OS. To gain access to your account, it is necessary to have both parts of the certificate – public and private.
To receive the private part of the certificate, the hacker needs to get physical control over the device on which the certificate is stored – it can’t be stolen from outside of the system (as described above). Also, for extraction of the certificate, the hacker will need to have administrative authorization to operate the device.
Linked article: What if the device with the digital certificate is stolen?