I am trying to add webauthn to my web app, and I want to securely store a private key with the credential data. The methods I have found for storing data with a credential are: hmac-secret extension, large blob extension, CredentialsContainer.store() . Which, if any, of these methods can securely store data on/with the authenticator? Are there better ways of doing it?
CredentialsContainer.store is not pertinent for public-key credentials: they are never stored, only created. (You can store other types of credentials, like passwords, but the title says "WebAuthn" so I'll stick to that topic.)
The hmac-secret extension (exposed as the prf extension at the WebAuthn level) allows an arbitrary number of secrets to be derived using a PRF like HMAC. This is currently behind chrome://flags/#enable-experimental-web-platform-features but will have the greatest degree of support in security keys and will be supported by Android devices in the coming months. This is intended to be the answer to your question but is not fully ready yet.
The credBlob extension allows a small, fixed amount of data to be stored with a credential. It was not originally intended for secrets, however. Only newer security key will support this.
The largeBlob extension is for storing a KB or two of data with a credential, usually a certificate for that key. This will have the least security key support.
Probably none of those options currently work in Safari, however.