AFAIK webauthn uses the domain as passed from the browser. So user might see micorsoft.com, but to the device it's a different domain so it won't pass on the keys.