The difference is that with an app, the server can ensure it's running on a safe non-compromised/jailbroken device using remote attestation (Play Integrity, App Attest).
With a web browser, there's no way of doing that by design as the user has full control over their user agent, so you need to trust the end user is following good security practices and hasn't allowed their user agent to become compromised.
However, in the EU, banks are legally liable for financial loss caused by unauthorised transfers, so they are increasingly not willing to trust that the user hasn't just loaded their browser up with malicious extensions and malware.
With a web browser, there's no way of doing that by design as the user has full control over their user agent, so you need to trust the end user is following good security practices and hasn't allowed their user agent to become compromised.
However, in the EU, banks are legally liable for financial loss caused by unauthorised transfers, so they are increasingly not willing to trust that the user hasn't just loaded their browser up with malicious extensions and malware.