WebAuthn doesn’t require the RP to enforce any particular hardware attestation, and many sites (the overwhelmingly majority?) allow anonymous attestation, self-attestation, or simply no attestation at all.
Having hard-to-extract device keys isn’t “DIY hostile”; it’s critical to the attestation security model. If you want to build your own WebAuthn authenticator, then you can either form your attestation root (there’s no “blessed” vendor list that I know of) or simply ignore that part of the spec.
I happen to agree that this is a bad use of attestation (as well as a pointless one, since it’s cheaper and easier for a click farm to do attestation with a bunch of yubikeys than to contact out CAPTCHA solves).
However, I don’t really think it’s an indictment of either WebAuthn or attestation more generally: as pointed out, most public services do not (and probably will never) require attestation. The winds are against it more generally: non-attestation flows are easier to implement, and WebAuthn adoption is increasingly driven by authenticators that don’t necessarily offer useful attestations (e.g. on-device and virtual tokens). Most future users of WebAuthn won’t have physical keys of the sort that Cloudflare’s scheme will require.
Having hard-to-extract device keys isn’t “DIY hostile”; it’s critical to the attestation security model. If you want to build your own WebAuthn authenticator, then you can either form your attestation root (there’s no “blessed” vendor list that I know of) or simply ignore that part of the spec.