A paper certificate attesting to attributes of some product or person that are not easy to test for directly can include a URL deep-linking into the issuer's website.
Someone trying to evaluate the legitimacy of the certificate can visit the URL and see the certificate information on the issuer's website. The information displayed on the website may also contain information about exactly what product it is certifying (description, serial number, etc.) and hard-to-forge ways of identifying that specific product. Depending on the application, it could also offer a way to register ownership and/or indicate if that product (same serial number etc.) has been previously registered (helping detect duplication).
This is much harder to forge, requiring an attacker to hack into the issuer's website (or verifier's path to it) in addition to all the skills required to produce a paper forgery that appears credible to a potential verifier. Use of blockchain technology can raise the bar even more.
A QR code can just be a way of encoding that URL in a way that is easier for a machine to read.
Ideally, the QR code reader would tell the user what URL the code corresponds to before just opening the contents of that URL, so the user can verify that it looks like a trusted host (and block some attack strategies involving getting a target to visit an arbitrary URL).
For convenience and stronger association, the QR code can be engraved in or otherwise attached to a product directly, instead of a paper certificate meant to accompany the product. With the information available online, the rest of the certificate text can (in some applications) be omitted.
If a forger made an exact copy of a product the authentic seller had produced but not yet sold, including a code directing potential verifiers to the legitimate certificate, the issuer could potentially revoke that certificate and change the code/number on their own unsold inventory; the forger risks being exposed.
While this system is not 100% foolproof to the most advanced forgers, it raises the bar to successful forgery, especially compared to the status quo in many domains. In common practice, once that bar is high enough, it can become easier for the forger to just go through the certification steps and legitimately make genuine products, or pursue forgery/other activity elsewhere.
As an example of information related to a person rather than a product, see the Red Cross's training certificates program.