When accessing a site by a standard domain name (such as https://duckduckgo.com) through https over TOR - your connection is routed through a TOR exit node which makes a connection to the site's server (see diagram). This means that the exit node is in a position to attempt a man-in-the-middle (MITM) attack on the https connection to the site.
In order to prevent MITM attacks, https relies on certificates (and therefore, certificate authorities) to verify a site's authenticity. While rare, there have been cases where certificate authorities have issued fraudulent certificates for sites (see If an adversary took over a major Certificate Authority, what bad things could they do? for more info).
On the other hand, when accessing a site through TOR using the site's onion address (such as https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion), you do not need to rely on a CA to provide authenticity. This is because the site's onion address contains the sites's public key. See https://community.torproject.org/onion-services/overview/ for more info.
Any secure protocol must provide three basic ingredients - confidentiality, integrity, and authenticity. https does a fairly good job at providing confidentiality and integrity - but we must trust third-party CA's to provide authenticity. TOR's onion routing protocol eliminates the need for us to rely on CA's by encoding the site's public identity key in the onion address. So, we have positive way of verifying the site's authenticity without trusting CA's - at the expense of less user-friendly, squirrelly-looking addresses.