Moreover, if a physically undetected clone is managed, it will be detected soon through the spec. The WebAuthn spec includes monitoring an always increasing counter for each key/site pair. One of the clones will start to fail.

So really there's no point in cloning. Straight up theft is the bigger concern.