Maybe a web implementation with all it's built in protections really is the most pragmatic solution even if it isn't light weight.
I think a safe language like SML/ocaml, erlang, or rust (each with various performance/productivity tradeoffs) is a better solution if we can get a secure framework on top.
Client certificates can cover the client auth side although there are gotchas:
(1) dealing with revocation is more difficult as devices can more easily become compromised (physical access = extracting keys from flash/RAM.)
(2) assume a vendor issues a unique client cert on every device, and the chain reaches a CA. For multi-tenant cloud vendors, you still need to figure out which e.g. Philips Hue bulb is Bob's when Bob logs into his cloud portal. So there's a pairing issue that usually requires a one-time-pad or similar. Right now everyone does that differently.
To put it another way: Mozilla proposal needs to work with _multiple_ security models. They won't get there overnight.