Reported by @lavamind, the fix for this should possible by part of the 'Bug 23247: Communicating security expectations for .onion' patch, or maybe as a standalone for eventual uplift.
security.webauth.webauthn needs to be true for yubikeys in general to work (see #26614)
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information