I'd argue that WebAuthn may be classified as transferable? Under the assumption one's using a FIDO security key of course - rather than the platform's built-in authenticator.

I too believe passwords will have their role in the future - although I'd love to see their roles swapped: WebAuthn as first authentication factor - passwords as the optional MFA.

Don't TLS certs have domains they're valid for in the cert? (I admit it's been a while since I looked at this.) That would make them hard to phish.

Oops, this was a mistake. I don't think most browsers have a way to restrict client certs to specific domains but since asymmetric cryptography is used, and the key agreement ensures no MITM, no phishing is possible. (They may ask for your cert but can't use that to authenticate with the correct host.)

I've pushed a fix.

Some platforms may have a way to remember a client certificate as a preference, but you can't really bind a certificate to only specific sites.

If you can find a way to abuse a valid authentication to one site in order to gain access to another site, that sounds like a very firmly valid security issue needing investigated.