improve the testing of credentials against inserted FIDO keys a little

improve the testing of credentials against inserted FIDO keys a little
more: ask the token whether a particular key belongs to it in cases
where the token support on-token user- verification (e.g. biometrics)
rather than just assuming that it will accept it.

Will reduce spurious "Confirm user presence" notifications for key
handles that relate to FIDO keys that are not currently inserted in at
least some cases.

Motivated by bz3366; by Pedro Martelletto