First, the wallet application requests from the HSM/TEE generates a dedicated key-pair for the account. The private-key will never leave the HSM/TEE.
Then, the wallet application sets the Hardware Signer key as the main key of the account by sending a signed transaction to the account contract indicating the new public key.
When it is set-up you will see the security icon next to your account name.
Once the Hardware Signer has been set, the account contract will verify each transaction only with the Hardware Signer public key. The user will have to sign each and every transaction in the account using the Hardware Signer authenticated with his biometric face or fingerprint ID.