The server is not checking if you have a piece of paper. It is checking if you can produce a piece of information.
If someone steals your paper, copies the password to their phone, and then returns your paper, then the attacker can log in without that piece of paper. In a true "something you have" if you have that something then it is impossible for someone to login to your account.
I agree with the general sentiment but every non-quantum "thing you have" can be duplicated.
PS: I suspect that you could make a 2FA protocol capable of detecting duplication of the thing you have by having the app generate signed codes like "this is the n-th code I have generated" and have the server remember the n as a logical clock to detect duplicates and "time travel".
AFAIK only bank-type apps would use something this sophisticated
I agree, what I was trying to say is that not offering a key export is an attempt to gain some of the type of security provided by hardware keys: Difficulty to access the secret
An app generating OTP codes is a TYH while the secret used to generate the token is a TYK.
A password manager is a TYH while the passwords inside are TYK
In general every (non-quantum) TYH possess some kind of TYK that can be used to duplicate the TYH.
In the name of security sometimes there are locks around the TYK, sometimes physical other times software.
In the case of passkeys the inability to export them makes them TYH.
* "Thing you have" is too long