diff --git a/sandbox/OpenIddict.Sandbox.Console.Client/InteractiveService.cs b/sandbox/OpenIddict.Sandbox.Console.Client/InteractiveService.cs
index d4d4ec69..f81649bd 100644
--- a/sandbox/OpenIddict.Sandbox.Console.Client/InteractiveService.cs
+++ b/sandbox/OpenIddict.Sandbox.Console.Client/InteractiveService.cs
@@ -53,9 +53,13 @@ public class InteractiveService : BackgroundService
                     // While this sample deliberately doesn't store the generated certificate in a persistent
                     // location, the certificate used for token binding should typically be stored in the user
                     // certificate store to be reloaded across application restarts in a real-world application.
-                    var certificate = configuration.TlsClientCertificateBoundAccessTokens is true
-                        ? GenerateEphemeralTlsClientCertificate()
-                        : null;
+                    var certificate = registration.ClientType switch
+                    {
+                        ClientTypes.Public when configuration.TlsClientCertificateBoundAccessTokens is true
+                            => GenerateEphemeralTlsClientCertificate(),
+
+                        _ => null
+                    };
 
                     var flow = await GetSelectedFlowAsync(registration, configuration, stoppingToken);
 
@@ -166,9 +170,13 @@ public class InteractiveService : BackgroundService
                     var type = await GetSelectedGrantTypeAsync(registration, configuration, stoppingToken);
                     if (type is GrantTypes.DeviceCode)
                     {
-                        var certificate = configuration.TlsClientCertificateBoundAccessTokens is true
-                            ? GenerateEphemeralTlsClientCertificate()
-                            : null;
+                        var certificate = registration.ClientType switch
+                        {
+                            ClientTypes.Public when configuration.TlsClientCertificateBoundAccessTokens is true
+                                => GenerateEphemeralTlsClientCertificate(),
+
+                            _ => null
+                        };
 
                         // Ask OpenIddict to send a device authorization request and write
                         // the complete verification endpoint URI to the console output.
@@ -256,9 +264,13 @@ public class InteractiveService : BackgroundService
                     {
                         var (username, password) = (await GetUsernameAsync(stoppingToken), await GetPasswordAsync(stoppingToken));
 
-                        var certificate = configuration.TlsClientCertificateBoundAccessTokens is true
-                            ? GenerateEphemeralTlsClientCertificate()
-                            : null;
+                        var certificate = registration.ClientType switch
+                        {
+                            ClientTypes.Public when configuration.TlsClientCertificateBoundAccessTokens is true
+                                => GenerateEphemeralTlsClientCertificate(),
+
+                            _ => null
+                        };
 
                         AnsiConsole.MarkupLine("[cyan]Sending the token request.[/]");
 
@@ -339,9 +351,13 @@ public class InteractiveService : BackgroundService
                             await GetSubjectTokenAsync(stoppingToken),
                             await GetActorTokenAsync(stoppingToken));
 
-                        var certificate = configuration.TlsClientCertificateBoundAccessTokens is true
-                            ? GenerateEphemeralTlsClientCertificate()
-                            : null;
+                        var certificate = registration.ClientType switch
+                        {
+                            ClientTypes.Public when configuration.TlsClientCertificateBoundAccessTokens is true
+                                => GenerateEphemeralTlsClientCertificate(),
+
+                            _ => null
+                        };
 
                         AnsiConsole.MarkupLine("[cyan]Sending the token request.[/]");
 
diff --git a/sandbox/OpenIddict.Sandbox.WinForms.Client/Program.cs b/sandbox/OpenIddict.Sandbox.WinForms.Client/Program.cs
index 9b3b1025..a54a7102 100644
--- a/sandbox/OpenIddict.Sandbox.WinForms.Client/Program.cs
+++ b/sandbox/OpenIddict.Sandbox.WinForms.Client/Program.cs
@@ -98,10 +98,6 @@ var host = new HostBuilder()
                                   .SetRedirectUri("com.openiddict.sandbox.winforms.client://callback/login/github");
                        });
             });
-
-        //
-        // Note: in a real world application, this step should be part of a setup script.
-        // services.Insert(0, ServiceDescriptor.Singleton<IHostedService, Worker>());
     })
     .ConfigureWinForms<MainForm>()
     .UseWinFormsLifetime()
diff --git a/src/OpenIddict.Abstractions/OpenIddictResources.resx b/src/OpenIddict.Abstractions/OpenIddictResources.resx
index 52ef7548..218911a9 100644
--- a/src/OpenIddict.Abstractions/OpenIddictResources.resx
+++ b/src/OpenIddict.Abstractions/OpenIddictResources.resx
@@ -1849,7 +1849,7 @@ To use a custom policy relying on the system store, set 'OpenIddictServerOptions
     <value>mTLS endpoint aliases cannot be set when the corresponding endpoints have not been enabled.</value>
   </data>
   <data name="ID0511" xml:space="preserve">
-    <value>Public Key Infrastructure certificates cannot contain private keys.</value>
+    <value>Certificates attached to client authentication policies cannot contain private keys.</value>
   </data>
   <data name="ID0512" xml:space="preserve">
     <value>A certificate-based client authentication or token binding method was negotiated but no suitable certificate could be found.</value>
diff --git a/src/OpenIddict.Server/OpenIddictServerBuilder.cs b/src/OpenIddict.Server/OpenIddictServerBuilder.cs
index 1f802afe..dabdd762 100644
--- a/src/OpenIddict.Server/OpenIddictServerBuilder.cs
+++ b/src/OpenIddict.Server/OpenIddictServerBuilder.cs
@@ -2420,7 +2420,6 @@ public sealed class OpenIddictServerBuilder
     /// </summary>
     /// <param name="configuration">The delegate used to amend the created X.509 chain policy.</param>
     /// <returns>The <see cref="OpenIddictServerBuilder"/> instance.</returns>
-    [EditorBrowsable(EditorBrowsableState.Advanced)]
     public OpenIddictServerBuilder EnableSelfSignedTlsClientAuthentication(Action<X509ChainPolicy> configuration)
     {
         ArgumentNullException.ThrowIfNull(configuration);
diff --git a/src/OpenIddict.Server/OpenIddictServerConfiguration.cs b/src/OpenIddict.Server/OpenIddictServerConfiguration.cs
index 438f96d5..c22ca515 100644
--- a/src/OpenIddict.Server/OpenIddictServerConfiguration.cs
+++ b/src/OpenIddict.Server/OpenIddictServerConfiguration.cs
@@ -348,13 +348,13 @@ public sealed class OpenIddictServerConfiguration : IPostConfigureOptions<OpenId
         // Ensure the self-signed TLS client authentication chain policy doesn't contain any certificate.
         if (options.SelfSignedTlsClientAuthenticationPolicy is not null)
         {
-            if (options.SelfSignedTlsClientAuthenticationPolicy.ExtraStore.Cast<X509Certificate2>().Any())
+            if (options.SelfSignedTlsClientAuthenticationPolicy.ExtraStore.Count is not 0)
             {
                 throw new InvalidOperationException(SR.GetResourceString(SR.ID0502));
             }
 
 #if SUPPORTS_X509_CHAIN_POLICY_CUSTOM_TRUST_STORE && SUPPORTS_X509_CHAIN_POLICY_TRUST_MODE
-            if (options.SelfSignedTlsClientAuthenticationPolicy.CustomTrustStore.Cast<X509Certificate2>().Any())
+            if (options.SelfSignedTlsClientAuthenticationPolicy.CustomTrustStore.Count is not 0)
             {
                 throw new InvalidOperationException(SR.GetResourceString(SR.ID0502));
             }
diff --git a/src/OpenIddict.Server/OpenIddictServerOptions.cs b/src/OpenIddict.Server/OpenIddictServerOptions.cs
index a8ab0037..63a4881e 100644
--- a/src/OpenIddict.Server/OpenIddictServerOptions.cs
+++ b/src/OpenIddict.Server/OpenIddictServerOptions.cs
@@ -716,6 +716,5 @@ public sealed class OpenIddictServerOptions
     /// the system certificates store, doing so is strongly discouraged.
     /// </para>
     /// </remarks>
-    [EditorBrowsable(EditorBrowsableState.Advanced)]
     public X509ChainPolicy? SelfSignedTlsClientAuthenticationPolicy { get; set; }
 }