Do you have a source for the hardware-tied design? Neither the specs[1] nor Wikipedia[2] say anything about Authenticators being hardware-only as far as I can see. The specs even specifically talk about Clients (ie browsers) storing passkeys.

[1]: https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#sctn-aut...

[2]: https://en.wikipedia.org/wiki/WebAuthn#Reasons_for_its_desig...