Speaking from personal experience, don't do this on a machine you'll ever access remotely, because then you're stuck waiting for the biometric check to time out before you can authenticate via another method.
That's why I prefer using Yubikeys (using this setup: https://github.com/drduh/YubiKey-Guide) — and this method times out immediately (just press esc when the "insert card" dialog comes up).
Plus you can have multiple keys. Plus you can use them for gpg and ssh. Plus you can back them up. Plus you can print them on paper.
Yes and you can forward the yubikey through an SSH agent. It's what I do. This way you can sudo with hardware auth both locally and remotely. Enable touch to sign so the yubikey can't be 'milked' for authentication while it's inserted and unlocked.
I don't know if you can do the same (forwarding over SSH) with Fido2 but I still use traditional SSH keys anyway (stored on the yubi with OpenPGP). And the pam_ssh_agent_auth module.
I'll only consider switching to Fido once everything supports it (eg my iLO devices too) and it can offer at least the same features like forwarding. For now the former is very far from being realised anyway.
This also helps if you want to use the touch / Yubikey / Whatever to unlock the machine, but you need to type in the password when opening the session so that all the wallets unlock, too.
Doesnt just apply to macs/touch bar either. Had the same issue when I setup my fingerprint sensor on my thinkpad on fedora.
Maybe theres a way to get both to work, but I never found it