cryptenroll: Implement support for unlocking via FIDO2 tokens

cryptenroll: Implement support for unlocking via FIDO2 tokens

This allows FIDO2 users to wipe out password slots and still be able to
enroll new key slots via systemd-cryptenroll. Note that when the user
wants to both unlock with a FIDO2 token and enroll a new FIDO2 token,
they cannot be set to automatic discovery. This is to safeguard against
confusion, because there will be multiple tokens connected to the system
when doing so -- and we require users to explicitly confirm which one to
use for unlocking and which one to use for enrollment.

Addresses #20230 for the FIDO2 case.