fix: Prevent passkey downgrades

[codingllama]

Prevent authenticators from "downgrading" passkeys to "MFA" keys by always adding passkeys to the registration credential exclude list.

Modern authenticators, like Touch ID on Chrome, will always create passkeys regardless of our registration parameters. This can lead to the following situation:

1. User registers a passkey using Chrome and Touch ID
2. User registers an "MFA" key using Chrome and Touch ID. The authenticator "ignores" our credential parameters and creates another passkey. Because that passkey has the same website and user as the original one, it replaces it.
3. Teleport now thinks the user has 2 distinct keys: a passkey and an MFA key
4. User deletes the MFA key in Teleport, which is allowed because Teleport thinks the original passkey still exists. The public key for the only existing key is removed from Teleport.
5. User is now locked out.

This PR stops 2) from happening: the browser will error with a message in the lines of "You already registered this device".

Related to #39521.

Changelog: Prevent accidental passkey "downgrades" to MFA

[codingllama]

Renamed for clarity, nomenclature was still a bit "in flux" when I originally wrote this.

[codingllama]

This behavior used to be fine during the "Yubikey era", desirable even, as MFA keys don't require PINs. Yubis are still fine with this, but the recently evolved passkey behavior clearly isn't. :/

[codingllama]

Friendly ping @gabrielcorado @zmb3 ?

[public-teleport-github-review-bot]

@codingllama See the table below for backport results.

Branch	Result
branch/v13	Create PR
branch/v14	Create PR
branch/v15	Create PR