This will enable various hardware backed private key tokens: Yubikey, Smartcards, TPM

I think it can be easily done by relying on OpenSSH's ssh-agent. Currently, we only look at files containing public keys, but we could ask for ssh3 to use PKCS11 through ssh-agent. That would enable using PKCS11 without having to support it natively in ssh3 right now.

FYI I made it work with a Yubikey through SSH agent.
SSH3 currently does not handle the -sk key format bug with classical RSA pubkeys generated by the ssh-agent it works.

You can make it work using the following procedure: https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html (Step 6 won't work but you can connect using the pubkey-for-agent switch)