Multiple reasons. A partial list:
Security
Per-user secrets (generally referred to as "passwords", although they needn't always be memorable) are re-usable after the session ends (even if the user doesn't re-use the password elsewhere, which users have a deplorable tendency to do), and are therefore more dangerous to the user if compromised. You cannot rely on secrets transmitted over the network or stored in the client (since they must be sent on every request) or in a server database staying secret forever.
Per-client tokens can also be scoped more tightly (for example, restricting their access to only a few functions, or to use only from a specific IP address), and can be revoked (if compromised, or even just if compromise is suspected) without invaliding all other sessions. Passwords generally need to give access to everything, from everywhere, and if they are compromised you need to change them and invalidate all sessions.
Finally, using session tokens means users can use a third-party identity provider without exposing their credentials to your application (this is very common; for example, you can log into StackExchange using single-sign-on via Google, without ever giving StackExchange your Google credentials). Even if you don't plan to use SSO or support third-party auth at this time, building your session management on tokens rather than credentials will make it much easier to do so in the future, without requiring your users to expose their credentials on those third-party sites to you.
Performance and Scalability
For security, passwords (secrets the user chose or that are chosen for memorability) need to be passed through a computationally-expensive hash function (sometimes described as a key derivation function, such as PBKDF2) and this is slow. A site owner really wants to only do that once per session, and in response, issue a token that can be verified very quickly on subsequent requests.
Additionally, tokens can be made verifiable without any request to the database at all (for an example, see JWTs). This not only avoids DB queries (except when initially issuing or refreshing the token), it also means that a request can go to a different server in a cluster than the one that handled the previous request, and the user's session can nonetheless be verified without accessing a DB (or shared cache or anything like that).