Not sure I understand your point. Under WebAuthn / FIDO2 you can't impersonate a RP
Could you explain better?