Why a half ACME client?

I think it's for systems where the web server has a private key of its own (not shared with any other software), and you want to get it a certificate for that key. This way, the private key is only ever known to the software that will terminate TLS under ordinary operation, and it uses the challenge type that software already handles for other purposes, resulting in a minimum of additional code having access to the key over what is needed for ordinary operation of this system.

Of course, none of this makes sense if you want a keypair used by multiple programs for different services, such that there's no single program that terminates TLS for all connections, but that's only one of the two common use cases.