On Macs, Secretive [0] is great. It creates keys in the secret enclave, from where they can't be read, only used for signing requests. TouchID authorisation is optional but it's so quick and easy that I keep it on for all keys.
It can also use Smart Cards (Yubikeys are called out by name in the readme).
A forwarded agent will have the same level of security, meaning that if the forwarded agent needs to use a key in Secretive, it will have to be authorised locally - and even if TouchID is disabled, you are notified if a key is used.
OpenSSH since 8.2p1 supports FIDO2 U2F keys directly (via libfido) using no proprietary Yubikey functionality, as the new ed25519-sk key type (sk for security key). The server also needs to be 8.2+ but doesn’t need to be compiled with libfido.
I was asking about using the secure enclave and Touch ID via the direct support on OpenSSH.
As for cross-platform compat, I wonder if you can use the same keys on the Yubikey via both Secretive and the native OpenSSH support. If it does I might look again into getting a Yubikey.
It can also use Smart Cards (Yubikeys are called out by name in the readme).
A forwarded agent will have the same level of security, meaning that if the forwarded agent needs to use a key in Secretive, it will have to be authorised locally - and even if TouchID is disabled, you are notified if a key is used.
[0] https://github.com/maxgoedjen/secretive/