Yubikeys have PIN for FIDO2 passwordless auth, see `ykman fido set-pin` command (IIRC, there a GUI for this as well but I don't have a single passwordless login - to best of my awareness, no single website on the web that I use seem to support this).
This is different from typical U2F operations, though, where website asks for a password ("know") and a hardware token ("have"). For those, password is the secret part already.
If someone phished someone's password AND stole one's Yubikey - well, this is a very peculiar situation, where, indeed, the scenario fails. If someone steals a laptop with Yubikey plugged in - they (hopefully) don't have passwords. Unless someone had set it up to login and open their password manager with just a touch of the said Yubikey, without anything extra. Which is, again, quite a peculiar situation.
This is different from typical U2F operations, though, where website asks for a password ("know") and a hardware token ("have"). For those, password is the secret part already.
If someone phished someone's password AND stole one's Yubikey - well, this is a very peculiar situation, where, indeed, the scenario fails. If someone steals a laptop with Yubikey plugged in - they (hopefully) don't have passwords. Unless someone had set it up to login and open their password manager with just a touch of the said Yubikey, without anything extra. Which is, again, quite a peculiar situation.