Not sure I understand your point. Under WebAuthn / FIDO2 you can't impersonate a RP

Could you explain better?