Yeah, I just saw Not recognizing Yubikey for setting up challenge response with KeepassXC as well.
So it actually seems possible to use CTAP2 via proxy (is it?). I think, this still is a legitimate question: Qubes Global Config explicitely names that section “U2F devices” and “U2F proxy”. U2F is a legacy standard and not compatible to Passkeys, which require FIDO2 with WebAuthn + CTAP2:
WebAuthn and CTAP provide a complete replacement for U2F, which has been renamed “CTAP1” in the latest version of the FIDO2 standard.[37] The WebAuthn protocol is backward-compatible (via the AppID extension) with U2F-only security keys[38] but the U2F protocol is not compatible with a WebAuthn-only authenticator
See also CTAP:
The CTAP specification refers to two protocol versions, the CTAP1/U2F protocol and the CTAP2 protocol.