I cannot trust JWTs - look the maximum I want to send from a client to a server is a single nonce. Anything else is just adding attack surfaces. Add that one 128bit number has too many already :-)
What in the world is your threat model? You need some concept of sessions somewhere, even if it's just a list of which client certs (aka sessions) are valid in case someone looses a yubikey. Those certs should also be short lived, since they don't live in the yubikey itself. And a TLS client cert absolutely adds more than just a nonce.
Instead of generating client certs client side, generate a elliptical curve key pair who's public key you sign with the yubikey and send to the server. Then, sign every request with that key and the server can verify it using the public key sent previously. All that can be done in js, without a jwt or sending anything other than a request and signature. It's essentially a client cert.
I still don't really understand how much more security it'd get you than bog standard webauthn, especially considering it'd be a custom, less tested system, but you can already do something similar to your idea using standard cryptographic primatives.
I am guessing you are suggesting this as an absurdist argument (even if it is feasible !?!!) but I don't get why using client certs is bad? The downsides to session keys in cookies is immense and I don't see JWTs as being materially different.
It appears to me there are two options :
use out of band method to verify a HSM "belongs" to a given person (which has loads of issues) then
1. Use that HSM to establish a bearer token for future requests
2. use that HSM to establish a client certificate which at least avoids the problems of bearer token.
I may of course be very wrong.
PS To me the problems of "replacing passwords with something stronger" boil down to the fact that the vast majority of web sites out there are not protecting anything valuable. I have 300+ entries in my password vault and if I had to walk down the street to a "PKI office" and get my passport stamped to access each one, I would choose maybe five.
I suspect that the vast amount of crap sites out there trying to find ways to make authentication stronger without actually making it less convenient for people i case they stop bothering to sign in, is just undermining the infrastructure we would need to have trustable authentication.
If it's valuable to you, you will make the effort.
