To really do this right, the yubikeys would need to have some kind of display to see what action you're confirming. Slightly better than nothing, the OS/browser UI could show it.
Something like Plaid is unfixable though, that's just a garbage heap of insecure patterns. I refuse to use it.
Something I was disappointed (but not surprised) to never see take off outside a few niche areas and closed systems like payment card terminals was personal smartcard readers.
Even reasonably affordable ones commonly have a 16x2 or 16x4 LCD screen. While today's protocols and drivers don't inherently tie together the data being signed with a string shown on the screen, appropriate design of protocols could enable this - then you'd have a hardware reader with PIN pad, where your PIN isn't seen by the computer, and with a screen showing you exactly what domain you are logging into, or which action you're approving.
You can implement webauthn on a smartcard just fine as well (there are open source applets for it I believe) - just a shame that hardware readers with trusted displays never really took off on desktop PC! Then again for "just login" like in webauthn, really the domain is the only thing seen. A rogue local browser app can prompt you to authenticate for an arbitrary domain, but it's challenge/response based so the attack needs to happen in real-time.
Something like Plaid is unfixable though, that's just a garbage heap of insecure patterns. I refuse to use it.