I actually stumbled upon this issue recently with unmanaged Mac devices needing to access an Azure Virtual Desktop environment.
But I also need phishing-resistant MFA within the session…

You mention:
If you need MFA within the session consider a combination of ‘web account’ configuration and using the security key as a smart card

Not sure how this would work. But this will never satisfy any Conditional Access policies requiring phish-resist MFA strength, right?