If your are working on a development environment,
https may not be available but the context could be considered as secured. You can bypass the scheme verification by passing the list of rpIds you consider secured.
$publicKeyCredentialSource = $authenticatorAttestationResponseValidator->check($authenticatorAttestationResponse,$publicKeyCredentialCreationOptions,$serverRequest,['localhost']);
$publicKeyCredentialSource = $authenticatorAssertionResponse->check($publicKeyCredential->getRawId(),$authenticatorAssertionResponse,$publicKeyCredentialRequestOptions,$request,$userHandle,['localhost']);