Such sites can have valid TLS certs. They don't need them, because they are already encrypted at the network layer, but some people put TLS certs on there in addition. This is mainly just to appease people who don't understand the security details and have only been trained that the green shield means secure and everything else is not (which, to be fair, is a rule that *almost* always holds). In any case, the traffic will still need to be routed through Tor, but it will not go out an exit node

More info here:

https://onionservices.torproject.org/research/proposals/usability/certificates/