Right, I meant that there's no javascript API to communicate with a TPM directly as far as I know. You can still use a TPM as part of your auth to a website, it just has to go through a protocol where the browser handles the interaction. So a website can't leverage the TPM for tracking purposes afaik.

But web is really not so much my thing, so I'm now at the point where I'm probably going to start saying incorrect things.

It's too low level of an interface to directly expose to web apps tbh.

Ah so the vendors implementing the WebAuthN spec in their browser can use the TPM as "secure storage" for the related keys?

Yes.