Comment by lxgr

Yes, but they're used, by design, to authenticate you.

Even revealing the fact that a given passkey exists on your device requires your active confirmation according to the spec, so unless you actually want to authenticate and click the corresponding button, the site learns nothing about you (other than that your browser theoretically supports WebAuthN, which most do these days, so that's significantly less than one bit of fingerprinting data on you).

In other words, you can't be fingerprinted by WebAuthN, unless there's a (pretty severe) bug in an implementation.