Cookies should always be used in conjunction with a TLS Session ID.
If the session ID doesn't match, then throw away the cookies.
Session ID is designed to be hard to steal - in some clients, it actually uses keys from the TPM to derive the session ID - so even if someone steals the browser cookie jar, there is no way they can recreate the session ID.
If you're using an ATM and just put in your card and entered your PIN, and then someone walks up with a knife, makes you leave, and withdraws $1000 from your bank account, was that a bypass of the ATM's 2FA?
This article talks about infostealers which don’t resort to violence or five dollar wrench attacks. Instead they sneak onto systems via various means and surreptitiously exfiltrate all they can. Some even bypass AV by being polymorphic and installing root kits which can’t be so easily removed by AV.
It doesn't have to be violence though. Consider if you logged in to your email with 2FA, then walked away from your computer without locking it, and then someone else walked up and copied all of your messages. Is that bypassing 2FA?