Ok, so:
Only a handful of sites support the Ubikey/the Fido2 standard. Google and anyone using the new webauth, most sites that use newer duo mobile service plans, Github, Twitter and most password managers.
Because of how ridiculously underhyped fido2 is despite the fact it is literally a few fries short of the holy grail of convenience without sacrificing an ounce of security, I would invest in a cheaper yet equally reliable option such as the Solo-key. It supports any site that uses fido2, as well as ssh non-resident keys. Unlike the ubikkey the signed firmware is upgradeable on the solo-key, and the code along with the hardware design is open source. Because of that, outside audits have confirmed its legitimacy and security, whereas Ubikey is another case of having to take their word for it.
Among the major holdouts for fido2, Paypal remains the top one. I have a feeling they have lesser interest in actually strong security practices, since this is the same company that will only allow you 20 (count em, 20) characters in your password. I'm guessing the rationale is that a hacked account will get them easy money in the long-run, since the 7 to 10 days spent processing your several hundred to thousand dollar refund from the hacker's Twitch emote spending spree will no doubt result in Paypal collecting floating interest while, "processing," your refund. Let's cash in man!
So until Paypal gets their shit together, financial security remains stuck in the past.