The Validate Certificate assertion is used to validate an X.509 certificate context variable. More info can be found here
https://docops.ca.com/ca-api-gateway/9-3/en/policy-assertions/assertion-palette/message-validation-transformation-assertions/validate-certificate-assertion

In 'Validate Certificate Assertion' documentation there is this disclaimer: A valid certificate does not ensure authentication. In other words, the Gateway does not check to ensure that the user possesses a private key.

Questions

If one runs this assertions against ${request.ssl.clientCertificate} then it can be sure that client possesses the private key related to certificate in ${request.ssl.clientCertificate}?
what does the Validate Certificate Assertion really do?
 

CA API GATEWAY

"Validate Certificate Path" options will validate true even though the certificate is not in truststore.  Select this option to validate the expiration and format of the given certificate only.
"Validate Certificate Path "will check that the certificate has a valid path to trust anchor in gateway. 
In postman or soapui it seems we cannot send the request without having a private key , that is ${request.ssl.clientCertificate} is always empty if private key is no attached.

However  any certificate can be sent in request and validate certificate will be true for that certificate ( with validate option) with path validation it fails as we need to have valid path to truststore.