I don't believe Web Bluetooth should be used with security keys (in fact, I believe communication with those is specifically blocked as a part of Web Bluetooth).

This is because the browser needs to pass the origin to the device and ensure the webpage can't impersonate another origin.