Hi! I'm co-editor of ActivityPub, so maybe I can answer some things. Identity portability could mean a few things; ActivityPub on its own will let you interact with identities on other servers (though Mastodon could do this before its adoption of AP, through OStatus... it has better private delivery now though). However, maybe what you mean is the ability of an identity to be "nomadic". If you use ActivityPub with https based identifiers, you're still tied to a single instance.
However! It will be possible for ActivityPub applications to move in the direction of being more distributed systems... in fact I wrote a paper on this which I will be presenting at Rebooting Web of Trust in October: https://gitlab.com/dustyweb/talks/blob/master/activitypub/rw...
There's a lot of ideas in that paper, but the one that applies to a nomadic identity is Decentralized Identifiers support, or DIDs: https://w3c-ccg.github.io/did-spec/
DIDs are being worked on by the W3C Credentials Community Group (which I am also a part of) and will permit having an identity that is "self-soverign". How I imagine this would work in an application like Mastodon, if Mastodon decides to include support for it in the future, is that you would register a DID for yourself and then go to your profile page and associate that DID with your user. You'd then have identity that isn't tied to one specific node... indeed, in such a direction we'd begin to blur the line between the federated client-server web application model and peer to peer networks.
That's a ways off though. For now I think ActivityPub brings a lot of benefits to Mastodon (though I'm biased obviously). Still lots of exciting future ahead though!
Why not just use normal build signing of posts? All posts signed by the same private key have the same author even if published on different modes etc. There is finesse for supporting subkeys and revocation and all the rest, but talking with a security consultant will sort out those kind of details.
You could turn the whole thing on its head, have users sign their messages and broadcast them to anyone; a direct message would be encrypted to the expected recipients. Now you don't care about the particularities of an instance or opening an account, becaus all the work is happening on your machine. There is no migration, only transferring your database from a computer to another.
This is basically what secure scuttlebutt is doing:
