Remember that a KDC may not be in a position to know whether a particular user can use pkinit. So, no token will mean no pkinit when such a user logs into a pkinit-enabled workstation.