> or does it not work that way?

It does not work that way. When I _generate_ a key, I'm required to
both press the FIDO key and enter the PIN; however when I authenticate
to the server, I only need to press it. If I touch it using a different
finger than one that is registered, it errors and my YubiKey's
remaining attempts counter is decremented. If I have 3 consecutive
unsuccessful attempts (i.e., there are 0 remaining attempts), the key
locks and I have to enter my PIN to unlock it.

I can't even try to use a PIN. It's successful fingerprint or nothing.

I generated the key via below

ssh-keygen -t ed25519-sk -O resident -O verify-required

I'm using a YubiKey C Bio - FIDO Edition (5.7.2). The server is
configured to only allow publickey authentication using
sk-ssh-ed25519@openssh.com with touch-required and verify-required
PubkeyAuthOptions.