You seem very stuck on the point about hardware: there's nothing that imposes that it requires dedicated hardware. The point of specialized hardware is to typically have storage that's engineered that you can't just crack open and do EEPROM dump to pull the keys out, or file down the coating of an IC to probe at any internal parts of the storage to do the same. Or have extra shielding to prevent voltage differences giving off spurious emissions that could infer details about the key.

As for rubber-hose cryptoanalysis: someone could also engineer a dual-purpose security token that by default acts like an ordinary innocuous flash drive, and through some procedure (some button, a fake write-protect switch, or some 'port knock' like communication over USB to the device), have it switch over to presenting itself as an authentication token. Thus you could have something that looks and acts like any generic whitelabel consumer electronic and have plausible deniability and such when crossing some very invasive border searches.

As a quick surface-level search on software implementations:
https://github.com/danstiner/rust-u2f
https://github.com/gsora/fidati (custom firmware)

Also, as for some projects within the scope of the specification: there's only so much you can add/revise to a software project for something that's built/used for a very specific and narrow purpose (signing an input, and incrementing a counter), especially something meant to be minimalist, in contrast to something over-engineered like PKCS11 smartcards that can run Java applications.