How does a server using WebAuthn know that the client it is talking to is the right one? For example, say my bank wants to use WebAuthn instead of a username and password to let me access my account. How does the bank's server know that the public key I give it (via my browser) corresponds to my account?

Also, what if my device gets stolen? How do I prevent someone else from accessing my account, since the secret needed to do so is on the device, not with me?

1) They link the public key to your user account in their database.

2) Passkeys are 2FA by default. Someone needs to steal your phone where the private key is stored (first factor) and they would need your Face ID / Touch ID / PIN Code (second factor). Just loosing your phone doesn't give someone else the chance to use your passkey for authentication.