You hit it right. It's not much different than saving your HOTP/TOTP key into your password manager. Instead you'd save the WebAuthn private key and nobody could impersonate you without gaining access to your private key from your password manager (1Password, Android, iOS, Chrome, etc.). At least that is how I have come to understand the inner workings of it all. People rely on PKI for encrypting messages, signing messages, secure remote access, etc., so I think it only makes logical sense to extend it to web application authentication.