Suggestion: allow optional addition of authData for better compatibility with existing attestation solutions like Apple DeviceCheck

[arianvp]

I'm interested in using Apple DeviceCheck with this spec as DeviceCheck exists today and can be used in non-enterprise settings.. Problem is that DeviceCheck[0] adheres to Webauthn more strictly than this spec and thus it seems impossible to combine at the moment. The problem lies in the redefinition of attToBeSigned. Namely Devicecheck will concatenate the authData instead of ignorintg it

Instead of defining attToBeSigned = sha256(key authorization)

it defines it as :

attToBeSigned = authData || sha256(keyAuthorization)

I think we could adopt the spec in a backwards compatible way with the current spec to say:

authData MAY be present if authData is present it MUST be prepended to attToBeSigned

This would make Apple DeviceCheck[0] compatible with this spec.

[0] - https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server