There are some hardware keys that have PINs, like OnlyKey, but you’re always going to have trade-offs (OnlyKey has some as well). You are correct that someone could steal the key and know your password, but the likelihood that someone could do both is likely low for most people, and if it’s high for you, you’re probably a state actor or big cybercriminal engaging in some crazy shit anyway.

The core tenets of good security are something you know and something you have. For example, my work uses an RFID badge and a personal code to get into the building. Neither works alone. If somebody steals my badge, they can’t get into the building without my access code. If somebody steals a database of access codes, they can’t get in without the badge that pairs with the code.

A TOTP is something you have, sure, but it’s only secure if someone is unable to extract the secret key (or the code at runtime, which is possible via screen-reading techniques); as long as it exists digitally, secrecy is not guaranteed, and the attack surface is larger—for any device connected to the internet—to have that key stolen.

A physical key is harder to steal over the internet, and an attacker would have to know you have one in the first place to even go about beginning to search for it (I don’t think a court could force you to divulge that you have one or where it is, since you have a right to remain silent, but I’m NAL).

Ultimately, there is no panacea of security, or else everybody would use that one thing. In the end, it comes down to your threat model and the kinds of attacks that are likely to be thrown at you.