Huh, I'm pretty sure it's present by default (not behind a flag) in current versions of Keycloak - would have liked to use it but our setup is so heavily firewalled tokens wouldn't make it over ;)
Please make a write up about using it - my current use of keycloak doesn't fit webauthn (clients access it from virtual workstations that don't have usb access) but I'd like to incorporate it further in my toolbox for future projects