Hey Tim,
Think of the Yubikey as a two-in-one device. The U2F “half” is separate from the OTP “half”. The U2F half is limited to use with Chrome and users can enroll it (associate it with their Duo account) themselves. The OTP half must be added by an Admin and is managed like a typical hardware token. This OTP half is what you’ll need to use with the AnyConnect clients.
This article differentiates between the two functionalities of the Yubikey: https://help.duo.com/s/article/2942
Sounds like you’ll need to login to your Duo Admin Panel, import your Nano as a HW Token (so you can use the OTP “half” mentioned above), then associate that token with your username. You’ll then be able to login to your AnyConnect by typing in your username, passcode, then in the Secondary Password field you’d tap and hold your Nano until it writes an OTP code in that Secondary Password field.
Users cannot self-enroll through the AnyConnect (and can never self-enroll a HW Token including the Nano). Those users would need to login through a browser to self-enroll, or you could send them an enrollment email from the Duo Admin Panel. https://duo.com/docs/enrolling_users
best,
-Greg