I just skipped it briefly. But as I’ve understood, when a especially a resident credential is generated, the remote party needs to ensure that the key on the Token is valid. This is done by attestation, and either the vendor of the FIDO2 chip or the manufacturer of the Security Key is in that Attestation Certificate Trust Store.
However, by now it seams to me, that with each new (resident) credential a key is generated…
Technically the expected level of attestation is up to the platform, and the data/cert exchanged you can see in the demo you performed earlier in the thread. Some info on NK3 attestation is discussed in: