It's great if you're happy having (effectively) one SSH keypair to log into _every_ service you might potentially log into.
The minute you "wrongly" "ssh -A" into a pwned box, forwarding the agent - it's game over and they've now access to _all_ your infrastructure.
Using different SSH keypairs "per environment" might be more fiddly (but "ssh-ident" helps) but ensures a wrong "ssh -A" to a pwned box can only potentially cause a _part_ of your infra to be pwned.
Yubikey 5 series have some 20 extra slots you could use to store more keys. I'm not sure if yubikey-agent would have out-of-the-box support for that, but choosing a slot is just a single integer in the code, and you can enumerate them all too.
The minute you "wrongly" "ssh -A" into a pwned box, forwarding the agent - it's game over and they've now access to _all_ your infrastructure.
Using different SSH keypairs "per environment" might be more fiddly (but "ssh-ident" helps) but ensures a wrong "ssh -A" to a pwned box can only potentially cause a _part_ of your infra to be pwned.