There's really no need to rotate it because the biometric is only used locally. Your private key is kept encrypted at rest on your device, and a biometric (or PIN or password) is used to decrypt it during the passkey "do you have the correct private key?" authentication challenge.

The remote server only sees the result of the "do you have the correct private key?" challenge, not the biometric/PIN/password unlocking the private key that happens locally.

No-one's forcing you to use biometrics. Stick a strong password on your device and now it's guarded by something you know.