Why can't this be done today? Back when startssl was a thing and giving out free ssl certs, they didn't have you authenticate with a username/password, they generated a cert that was stored in your browser and used that to authenticate you.
It can be done today, but the browser UX around X.509 client cert auth is poor, and especially setting up your browser to use hardware tokens is more than could be expected of a nontechnical user.
I don't know for sure why they decided to do something new rather than improving the UX of client certs, but what they came up with for Webauthn seems to work with pretty well.
I'd much rather authenticate to websites with a key stored in my phone's secure element than I would with an auth service provided by my carrier.