I wrote my own hardware keystore agent for Termux!
I wasn't happy with Termux:API and tergent, so I wrote my own plugin and companion app to handle the keystore!
Unlike Termux:API, my custom plugin supports Ed25519 keys *and* hardware enforced per-use key authentication (instead of using a timeout; however a key may still be created with the timeout system if desired). When the screen goes black in the recording, that's when the fingerprint prompt popped up.
And yes, it can be used as a PKCS#11 provider! I personally use it to authenticate to sudo on my remote machine via a forwarded ssh-agent and pam_ssh_agent_auth (hence the "remote_sudo" key).
In theory, it's also already primed for the support of quantum secure ML-DSA keys when added in Android 17, though I haven't tested it myself.
It's not quite ready to publish yet, but it's good enough that I'm using it myself!