Webauthn works great for authentication. we can pretty much trust the secure enclave to verify a nonce even if OS is compromised.
But we cannot trust the content. And it gets high friction. But basically you need the air solex HSM to take a nonce typed in by user and based on human verified values (ie dollar amount) and maybe hash values (though possibly compromised).
And such high friction destroys many assumptions and business models. It might be the best solution - will see if I can find any reading materials