I think a dedicated device (e.g. smartcard or USB dongle) is a better option. I know they've had their problems, but personal computers get owned all the time, since they're simply too exposed.

Unless somebody steals it.

The part I liked about the system in Slovenia isn't so much the particulars of where or how the certificate is stored, but about how it's issued. Since the bit I was answering was "But how do you map a key to a person"

A stolen hardware key is likely to be noticed though.

Perhaps a better approach regardless of how it's stored is notification of use?