By turning each of the user devices into their own certificate authorities, each application will get its own certificate and hence there will be no way to correlate those credentials.
A typical registration flow using FIDO protocol:
User chooses an available FIDO authenticator according to your acceptance criteria.
The user unlocks the authenticator with biometrics device or external second-factor device (example: fingerprint, face recognition).
Public and private key pairs are created for the local device, the user account, and mobile/online services.
The public key is sent to the server. The private key is stored locally in the cryptographic secure key store. Registration is then complete.