Not OP but I use headscale and have it configured using Authentik for SSO. Works flawlessly once its up and running. I also use headplane for the UI. It has SSO integration as well which makes everything a breeze.
Edit: Forgot to mention, all running in docker with traefik as the reverse proxy.
Windows Hello ties the PIN to the TPM of the computer. It's not just you having a pin, its the pin + the crypto secret loaded on the device. Thats why its more secure then just a complex password.