As far as I understand it's possible to issue SSL certificates, which could be used by clients for authentication. So in theory only users with valid certificates would be able to access a certain web service.
So is safe to assume, that if SSL client certificate authentication is used, possibly vulnerable, high impact web applications could be exposed to the internet without risk of access by unauthorized persons?
How does this compare to using VPN?
If you use a VPN you still need to authenticate the user to establish the VPN. A client certificate is a very good authentication factor but should be used in conjunction with a password as there are several examples of malware that steals certificates in addition to other ways they can be compromised. Client certificates tend to have a support overhead associated so not practical if you have a small support organisation and/or a lot of users.
There are also many other ways a Web server can be compromised such as through vulnerabilities, SQL Injection etc. (Though VPN or certs reduce the liklihood somewhat due to reduced public attack surface). You could also consider something like Google Authenticator.
Authentication of the client does not prevent cross-site attacks against the web application like CSRF or reflected XSS. They only prevent direct access by a third party. It does not matter what kind of authentication you use, i.e. all the same for password, two factor, client certificates or whatever. The same is true for VPN.
