Credentials Binding Plugin has done this ever since the certificate binding feature was added in commit 7d789a8c590fd87cb9dd61c89c894a5df26a0605 and merged in PR#39. The commit message even mentions the assumption that the credential description matches the keystore alias name, but I don't think I have seen it documented anywhere else. When I edit the description of a certificate credential, the help text "An optional description to help tell similar credentials apart" certainly gives no hint of any such requirement.
CertificateMultiBinding already calls credentials.getKeyStore(), so perhaps it could just enumerate the returned KeyStore and get the alias name from there, without needing changes in the Credentials Plugin. If the aliasVariable parameter is specified but the KeyStore actually contains more than one key, then CertificateMultiBinding could log a warning about that, perhaps unless the description of the credential matches one of these aliases.
If each certificate credential normally contains only one certificate and private key, then the keystore alias name is not really needed for selecting the correct certificate, and I think users are likely to choose short words like "cert" as keystore alias names. If the withCredentials step is then changed to store these to the aliasVariable, there may be a risk that Jenkins starts unnecessarily masking this word in unrelated output. Perhaps the keystore alias name should be exempt from this masking, like
JENKINS-44860 requests for usernames.