The private key of a browser bound key could be stored in a secure element or in software, and relying parties cannot distinguish among these. The secure payment confirmation spec mentions that the user agent does not export this key; however, the spec does not specify

• browser bound key storage type requirements, (should a secure element be required and software storage should be disallowed?)
• BBK storage type hints in the outputs for the relying party, nor
• whether some types of storage should be preferred when the user agent selects an algorithm from the list of public key credential parameters.

This issue is related to #271 (browser binding).

See also the Device Binding section of the BBK requirements document. Currently the requirments doc

• allows different types of storage, and
• requires a signal (i.e. output) indicating the storage type.