The public key is encoded in the onion address, so the client can verify the server you connect to has the matching private key. This is part of the tor protocol, so happens always when talking to onion services.

Onion domains are a form of content addressing based on public key pairs. Normally onion domains aren't that readable as the nytimes one and look more like a bunch of random letters. (All nytimes did was generate many million key pairs until they found one that looked cool.)

If you fetch web pages from http://abc123.onion you bascially tell tor "connect me to whoever holds the certificate with fingerprint abc123". Any domain validated certificates on top of that is superfluous since you already know which certificate you are talking to. What you don't know is who holds it. This is where organizationally validated certificates can help.