The main advantage of certificates is that you are able to do that from the CA without touching the target machine.

Certs may still be the right approach, but OpenSSH also supports an AuthorizedKeysCommand which could be a secure HTTPS request to a central server to pull down a dynamically generated authorized_keys file content for the particular user and host.

If your endpoints can securely and reliably reach a central server, this gives you maximum control (your authorized_keys HTTPS server can have any custom business logic you want) without having to deal with certs/CAs.

Exactly. This is really useful in larger organizations where you may want more complex rules on access. For example, you can easily build "break glass" or 2nd party approved access on demand. You can put whatever logic you need in a CA front-end.

You can also make all the certs short-lived (and only store them in ram).

The way I've been doing that is with Shamir Secret Sharing and encrypting keys until glass-breaking is necessary.

generating tons of keys? or just broad keys?

What I've done is generate a cert for the host(s) the user needs, for the time-span they need (subject to authorization logic).

And when your or someone else's infra down to such a degree that you need SSH access, you do not want to depend on being able to touch that machine first. The same is true with custom AuthorizedKeysCommands that phone home.