What I mean is that even without XSS, if a user falls victim to a phishing attack they'll have loaded a phishing page under the attacker's control. The scenario is that the attacker is in control of JavaScript running in the victim's non-FIDO browser, but not in control of the browser itself.
In this case the attacker's phishing webpage, and any script it serves, will be loaded and running in the non-FIDO WebView on the victim's client device, so any requests originating from that page will originate from the victim's IP address (1.2.3.4 in your examples), not from the phishing server's address (6.6.6.6). So if the phishing page uses AJAX requests to interact with the IDP, it'll bypass the IP address validation, and the IDP will return any secrets and cookies to the phishing page. If those secrets and cookies are accessible to the attacker's JavaScript, the attacker can intercept them without routing the requests through a proxy server. Thus the attacker can initiate the detached FIDO flow and receive the privateToken, call out to the FIDO Browser which will correctly complete the FIDO authentication, and then use the compromised privateToken to redeem a session secret. It doesn't matter if the authentication in the FIDO browser is secure if the phishing page in the non-FIDO browser can still acquire a session secret, or indeed other sensitive data, in the end.
On further thought, I don't think HttpOnly cookies is enough. I think HttpOnly should suffice to secure the initial session cookie, but the session cookie is far from the only sensitive piece. While the attacker won't have direct access to the session cookie, they can still exercise the cookie in AJAX requests to access and exfiltrate sensitive data. Furthermore we should assume the attacker has the victim's password, since they're on a phishing page. They can also use AJAX to enroll new WebAuthn credentials under the attacker's control - not by calling the WebAuthn API in the browser of course, but by simply constructing the PublicKeyCredential structures in pure JavaScript (or, if the server requires trusted attestation, by calling out to a remote server with an approved authenticator connected). Then the attacker can access the account directly from any other device, since they now have full control of the password and a FIDO credential registered to the account.
Did I miss something that would prevent these kinds of attack?