Though I also think this is, in a sense, a poorly specified problem: without remote attestation (as with FIDO Security Keys), nothing prevents a human from connecting the "user presence" check to a software-triggered cryptographic key.
And for a variety of privacy and open-web reasons, nobody wants to tie common web flows to remote attestation.
So.... ¯\_(ツ)_/¯