Hi @KonstantinSilka ,
Thanks for posting your question on Microsoft Q&A.
The documentation below has more detailed information about using FIDO keys for Windows Sign-In:
Besides, I'm sending some answers for your questions:
1 - You can use your FIDO keys to sign in with onpremises resources if you have a Hybrid environment, now called Microsoft Entra Hybrid Joined Devices. This document has more details about the prerequisites https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-windows#requirements
Also, this other document details the steps to configure FIDO key to access the onpremises resources: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises
2 - If EntraID is unavailable, users can still fallback to user/password or any other cached method in place
3 - Using FIDO with VDI, RDP or Citrix is not supported at this moment.
Hope it helps you with your decision!
Thanks