You could use either or both based on your exact requirements.
Subscription Keys are best to leverage the bundled Developer Portal to allow external/internal developers to test out APIs from the portal and subscribe to APIs as required. Also, when using subscription keys, there are policies rate-limit and quota, and reports scoped to subscriptions.
Client Certificates can be an added protection, requiring clients to both know the subscription key and have the client certificate installed on the client machine.
Another option to consider is OAuth-based Security.