Wouldn't companies/bots/etc. still just get around this by buying many such hardware devices and automating their usage instead?

So what about users that don't have any such hardware?

Yeah but that breaks real usecases from real users.

It's really annoying, PayPal does this too. They only support passkeys in safari or chrome, even though it works just fine with a yubikey in Firefox. They just go out of their way to stop it from working. Really really annoying.

And they also refuse to enroll more than one token even for the basic fido2 mfa.