It means that the request to the API contains cryptographic proof that is was generated by a legitimate, reviewed app running on a unmodified and non-rooted mobile device controlled by Apple or Google.

fwiw this is a correct definition of Remote Attestation, matching what is mentioned in the github thread, but Client Assertion is something mostly unrelated (an OAuth implementation detail)