the only official route is to force the certs to expire, then the connector will pick up the new one - it does not have a feature to roll certs on demand.
So, yes, the best approach may be indeed to delete the user and get the connector to recreate them. You could probably do something clever with the scripting API to sort out the user>machine relationships afterewards.
Can we use SBADMCL.exe to create new user with smartcard token enabled and that Sync will set then right certificate at next syncronization?
no - only the connector can create smart card users