[gruez]

>you need to know the corresponding private key, live.

This seems like the main blocker. Why is that required? In theory all the site needs is a public key to verify against.

[tialaramex]

If you have questions about why the WebAuthn protocol works the way it does, it seems like you'd want to first read the protocol in detail and then if you still have questions ask its maintainers.