This is a sore point, smart card logon with certificates. There is no universal and simple suitable solution, even a paid one. Everywhere there are terrible creepy crutches that you either cannot master yourself in a reasonable time, or they work terribly crookedly. There, in general, there is a simple authorization system, public keys are stored on the cards, private keys are stored on the domain controller, when you enter using the card, the key pairs are checked. And, of course, not the certificate files themselves are checked, but their hashes. By analogy with imsi keys in mobile SIM cards. Therefore, you need to start by looking for suitable rewritable SC cards, where to find them at all - to be honest, I have no idea.
In theory, dry and briefly - as you know, there are 2 types of SC standard cards - those where the key (or a set of some data, or a certificate file) is tightly sewn one-time (bank), and those where it can be overwritten by hand as needed.
Both of them, in addition, can be protected by a pin code that blocks the card in the event of N attempts to enter the wrong pin code.
Well, the whole infrastructure is built, of course, on the creation of its own CA in AD, which will steer the release of pairs of certificates and associate them with end accounts. And the mechanism for reading data from the card in Windows is simple, no additional software is needed, the system already has everything you need in the core, connected the SC card reader and Windows itself already offers, if the computer is in the domain, enter using a smart card.

The issue is partially resolved: the factory code from Mifare Classic is FF FF FF FF FF FF, but it's not clear what to do with used cards from which there are no codes