My conclusion is that there is only one way to revoke a certificate that is valid in a Qlik Sense API call: You must change your instance's Certificate Authority cert. That means that if one is ever compromised, anywhere, you must change your entire Qlik Sense installation instead of just revoking the single, compromised certificate. Too bad for you if you have a complicated, multi-node installation.
I came to this conclusion because I just had to reinstall Qlik Sense 3.1. I chose to keep the already-installed CA cert, but then I manually went through the c:\Program Data\Qlik\Sense directory and deleted everything (I also checked over in Program Files). After install, I got right into the API without changing anything on the client machine I was using to test API calls. That tells me that all Qlik looks for is a cert that's signed by its custom CA cert and has CN="QlikClient". Though, if the sample code in qlik-auth-net is any indication, it might actually be looking for X509Certificate2.FriendlyName = "QlikClient" rather than parsing the Subject using X509Certificate2.GetNameInfo(X509NameType.DnsName, false) as it ought.