Phones have a TPM just like a USB security key. The face id on a phone based passkey is just the equivalent of pushing the button on the yubikeys.
So they need the physical device. You cannot clone the TPM parts that are in newer phones. The faceID just unlocks that hardware on your phone in the same way pushing the button on a yubikey sends the key up.
1) The FaceID TPM is connected to the phone all of the time, whereas you only plug the Yubkey TPM into your computer when you need it.
2) The Biometric data that the FaceID TPM collects is available pretty much all the time when you use the phone. It's not like a fingerprint sensor where you would have to go out of your way to press your finger to it. If you can hijack the OS silently, then you can probably hijack FaceID silently.
It just seems backwards to me to replace a "simple" hardware token that you have to physically plug in with a massively complex internet-connected device. If someone steals your hardware token, you know.
I think a lot of people in this thread are assuming passkeys are passwordless. They are just the latest way to do what we used to need an external Yubikey for.
You can still set the settings on individual sites to ask for a password when using a security key (external USB or device based) if that's where your concern is. The whole 'skip password' thing was just there as a convenience for people who aren't worrying about physical and biometric access but do want the two factor auth (protection against phishing, by far the most common threat).
You can also set your phones unlock how you want too if you don't want faceID.
it unlocks the cryptographically secure device, it doesn't replace it. to access your passkey through faceid, they have to steal your phone, unlock your phone, and then spoof faceID.
Biometric data can be copied and faked.