I think it's actually the RP being broken, not my authenticator. Conceptually, it's the RP's burden to either avoid this situation or allow eventual consistency:
There's an explicit mechanism in WebAuthN to avoid duplicate credential generation (excludeCredentials). If a RP still insists on rotating, what they should be doing is to first add the new credential, perform a successful authentication with it, and then retire the old one.
So the problem only happens if a "single passkey only" site does not support excludeCredentials, as far as I can tell.
There's an explicit mechanism in WebAuthN to avoid duplicate credential generation (excludeCredentials). If a RP still insists on rotating, what they should be doing is to first add the new credential, perform a successful authentication with it, and then retire the old one.
So the problem only happens if a "single passkey only" site does not support excludeCredentials, as far as I can tell.