alt Hacker NewsThis is neither a new idea or a good one. Cloudflare did a PR launch of pretty much the same thing a few years back, and that you haven't actually seen it in the wild probably tells you all you need to know about how useful it is.
Webauthn is not an integrity attestation; it doesn't tell you anything about how trustworthy the client is. Nor is it a uniqueness attestation; an attacker can mint an arbitrary number of different identities at basically no cost. It's a primitive for building account security systems, not one for building abuse prevention ones.
Some relevant HN threads:
https://news.ycombinator.com/item?id=27141593
there is attestation of the registration device in webauthn
so you can tell that a token was signed by an official yubikey, apple secure enclave, tpm, etc
for yubikeys the attestation signing certificate is shared between devices, but this number is limited
so you could rate limit... just it would be a horrible experience when you are limited