The core principle: Consider a padlock and key. During registration, the user provides the service a padlock (public key) and retains the corresponding key (private key) securely on their device. At sign-in, the service locks a unique challenge with that padlock and sends it to the user - only the device key can open it. The private key never leaves the device, so there is nothing of value held on the server side to steal or compromise.
The all-zeros AAGUID stored for Apple iCloud Keychain credentials is a function of Apple's platform design and cannot be patched, inferred, or administratively corrected without compromising the integrity of the credential record. The only technically sound resolution is to re-enrol affected users under a policy that requests direct attestation, and to add the verified Apple platform AAGUIDs to the identity provider's allowlist for future enrolments. Plan accordingly and communicate to affected users well in advance of the enforcement date.