> my authenticator app on my phone

Depending on which authenticator app (or maybe applies to all?), that data either is, or can be, backed up.

A yubikey cannot be cloned.[1]

> the malware rides along this expectation and gets ahold of your private SSH keys and stores them or sends them off somewhere.

Ah, this is where your misunderstanding lies. No, the crypto operation runs ON the TPM or yubikey. The actual secret key NEVER lives in RAM. (ehem, after it was imported, if importing is the method by which it was generated)

[1] You know what I mean. Of course in principle it can be. But not like a phone where it can literally be sent via scp.