Resident Discoverable SSH Keys not working


I am on a transition from macOS to NixOS. One piece of the puzzle that I am missing is the use of my fido2 SSH keys. Both macOS and Nix are using SSH version 9.6p1.

On both devices, I insert the Yubikey, do ssh-keygen -K, it asks for the Yubikey PIN, asks to set the keypair password and the public/private keys are output accordingly.

Then, on macOS I will do ssh -i .ssh/id_ed25519_sk_rk_xxx username@hostname. I’m prompted for the ssh key passphrase, the yubikey PIN and requested to touch the yubikey to confirm ‘user presence’ and I’m logged in.

However, on NixOS I also do ssh -i .ssh/id_ed25519_sk_rk_xxx username@hostname where I’m prompted for the ssh key passphrase, however I am not prompted for the Yubikey PIN or to touch it but instead returned with the error:

sign_and_send_pubkey: signing failed for ED25519-SK "id_ed25519_sk_rk_xxx" from agent: agent refused operation

In my configuration.nix I have:

environment.systemPackages = with pkgs; [
  pinentry-curses.  #For GPG


programs.ssh.askPassword = "";
services.pcscd.enable = true;

In home.nix:

programs.ssh = {
  enable = true;

services.ssh-agent = {
  enable = true;

Any suggestions would be greatly appreciated. Thanks