We had originally planned to go all-in on passkeys for ONCE/Campfire, and we built the early authentication system entirely around that. It was not a simple setup! Handling passkeys properly is surprisingly complicated on the backend, but we got it done. Unfortunately, the user experience kinda sucked, so we ended up ripping it all out...
So the problems you have with them are already solved, in the exact same ways they were solved for password/MFA. If you let Apple manage everything for you, it doesn’t matter whether you’re using passwords or passkeys, you’re locked in either way. But you always have the option to manage your passkeys manually (just like you’re doing with your TOTP) or using a third party cross-platform solution that allows for passkey import and export.