It would seem adding the following policy works:
u2f.Register * @anyvm sys-usb allow
u2f.Authenticate * @anyvm sys-usb allow
ctap.GetInfo * @anyvm sys-usb allow
ctap.ClientPin * @anyvm sys-usb allow
If you use a webauthn test site without that you’ll see a bunch of
notifications warning that a policy denial has happened. I worked out
the above by adding things until the denials disappeared.