Mutual TLS is great for service-to-service authentication, particularly when no requests to a service are allowed unless the client principal is recognized, however I’m less enthusiastic about the idea when the client is a human, or when much of the API will still, by necessity, be accessible without MTLS.
API tokens are easier to work with for both clients and developers, can permit flexible AuthZ policies, and can be bound to a TLS channel using token binding.
I think some more valuable work than attempting to switch to MTLS would be to better protect crates.io tokens on disk (e.g. encrypting them under a password, and prompting for a password when they are used).