Most devices support signing requests using a certificate baked into the device's hardware certificate store, in a way the OS can't tamper with. Using that certificate to sign a nonce would prove legitimacy of the hardware store (basically, remote attestation).

Your modified kernel can redirect communication attempts with the hardware to another device, but you'll still need a "sanctioned" device every time.

This system makes a lot of sense in corporate environments where compatible hardware can be bought and managed en masses. It doesn't make a lot of sense for something like this. Still, it's technically and practically possible to use such a mechanism, even if it's not advisable.

Webauthn isn't necessarily going to save you, though, and websites need to blacklist any hardware that has been found compromisable in the past (i.e. most consumer laptops, many consumer phones) and it won't work on Android phones running custom ROMs that don't implement the full security service but rather load in the bare minimum to get the API working.