An SSH private key isn't "something you have" - it's not a physical object, you can make copies of it.
To me it falls into "something you know". You might not be able to type it from memory into a file but in practical terms it's no different to a password, it just usually happens to reside on disk.
I use them for personal machines, and have deployed them in the past in work environments.
A few years ago I wrote a CA which can exchange oauth tokens for signed keys: https://github.com/nsheridan/cashier
Auth is handled in a browser e.g. by Google, and the CA will sign a key and return a cert with a valid token.
The lower-case headers is part of the http2 specification.