The deployment documentation says this:
If you are running in IIS, you need to synchronize machine keys. If you are running outside of IIS, you need to use a web farm compatible data protector for Katana.
My question is, is synchronizing the machine key the only valid approach for IIS, or is the data protector approach also an option? If so, are there reasons to prefer machine key over the data protector cert?
You can register an OWIN/Katana IDataProtector in IdentityServer 3 using the DataProtector property in the IdentityServerOptions.
There's no reason you should use machine key over this, as long as the data protector is 'secure' and any keys used in it are the same across all instances, so that all IdentityServer instances can unprotect each others tokens.
The only reason I've recommended IIS machine keys in the past is because it is a relatively common method and understood by most admins.