> This is the mechanism by which the Austrian government, for instance, prevents you from using an Open Source or any other software-based authenticator to sign in to do your taxes, access medical records or do anything else that is protected by eID. Instead you have to buy a whitelisted hardware token.

When the time comes to support passkeys on my services, I think I might use attestation in the other direction, ie only offer passkeys to users if I detect they are using a cross-platform password manager like Bitwarden or 1Password. There are simply too many moving pieces (including ad-hoc Bluetooth connections!) to guarantee a good UX when trying to move between the big tech implementations.