That's a really interesting point. If this really does allow a web user to prove that a human interacted with the computer, it'd make for a really nice CAPTCHA replacement.
From the server side, isn't this just a WebAuth integration?
How does the server know for sure if the client is on an iOS Safari browser on an iPhone with FaceID or a custom browser on any OS and any non-locked-down hardware being run with Selenium?
Attestation. If a website requests it, the device will provide cryptographic proof that you used a specific vendor’s device to store the resident credential. The proof is a certificate signed with a vendor’s secret attestation key.
The question is more along the lines of: does this provide more security than passwords for real users?
Stealing a password is probably more easily done than stealing a private key that is never transmitted. The primary threat model is protecting the credentials of real users rather than protecting against fraudulent users (though some considerations have been made for that too).
There are a lot of implications - no ability to automate and giving others data on you were provably in front of some machine are two big ones.