Passkey can be thought of as software emulation of a smartcard (aka hard token aka Yubikey). When it asks you to save it, that's when it creates the virtual smartcard in some reasonably secure local storage (possibly TPM-secured or at least kernel-secured).

The benefit of this approach is that a bot doesn't have the private key.

Of course you want to be sure that webauthn on boarding can't be botted.