Verifies that this browser can derive a stable WebAuthn PRF secret
(CTAP2 hmac-secret) from an external security key. This is the
gating test for the encrypted-journal design: the iPad/Safari + USB-C YubiKey
path is confirmed only if PRF returns a non-empty, stable value.
Touch the YubiKey when it flashes. Creates a discoverable credential with the PRF extension requested.
Authenticates with the credential above and evaluates PRF with a fixed salt.
Same salt, separate ceremony. The secret must match step 2 byte-for-byte.