A logout button could work the same way as with usernames and passwords. Sure you could use the cert to reauth the user with every page load but you could also use a traditional login page you just replace the user / password entry with the certificates and then operate as usual from there. Same with privacy it is all in the implementation details.
A logout button doesn't give extra security if anyone with access to the PC can hit the 'login' button. So unless access to the cert is behind a password there is no useful way to logout using client certs.
The user usually has the option to require a pin be supplied to unlock the hardware token. The advantage to certificates on a hardware token is that they can't be stolen remotely unlike a user name and password which can be compromised on either the user end or service provider end.
i.e., put a cookie on the site, and trust the cookie instead of the cert for all pages except the login one? That leaves you with all the usual problems of cookie-based logins that certs are supposed to solve (revocation, risk of being stolen, etc.), and also if you want to do that you can just put a private key in localStorage and use WebCrypto on the login page. Or with username + no password + FIDO security key as your only factor, if you want a hardware token, or whatever. There's no advantage in using SSL for this.
The point of the hardware token is that the credential never touches the PC. Putting a private key in local storage is no better than a user name and password because it leaves it open to theft. The most common problem that an everyday user faces is either a data breach on the service provider end or a virus / keylogger on their PC. Hardware tokens with certs solve both those problems in terms of account access.
