Android Key Attestations are bound to the app that minted the key, so this does prevent a fully-functional clone from working if they use attestation during auth. But it doesn't prevent a fake app that only exists to phish credentials.