Cannot use split-u2f (yubikey website authentication)

From a debian-11-minimal I created the following templates:

debian-11-minimal ---> ks-16-minimal ---> ks-16-firefox


debian-11-minimal ---> debian-11-firefox

The only difference between these two templates are the following packages:


The other packages, including qubes-u2f, have been installed in both templates.

For practicality, I then created a DispVM Template for debian-11-firefox and another for ks-16-firefox.

The problem is that if I launch firefox-esr in a DispVM based off of ks-16-firefox, u2f authentication with a yubikey doesn’t work. However, with the same settings and website, everything works fine in the DispVM based off of debian-11-firefox.

Still made zero progress on this.

Could something in security-misc prevent qubes-u2f policies from working correctly?

Or maybe it’s preventing the browser from accessing it?

The yubikey is never actually attached to the dispvm and is instead attached to sys-usb, which uses a template based on kicksecure. And just to be very specific, everything works fine with firefox in normal debian-minimal dispvm.

Please advise, I really need this to work, any help welcome!