See sibling thread, we're being duplicated; the point of this OAuth flow is to sign in on a different device, using the trusted one. That different device might be a legitimate TV with a TPM and cryptographic attestations that it truly belong to John Doe, there is still no way for your iPhone and Apple to check whether you meant to sign in to John Doe's TV or if they are a scammer and sent you the (legitimate) sign-up link over email.

It's essentially an enrollment workflow using an existing enrolled device, yes?

This submission's title mentions "2FA". The first post in this thread is about OAuth. Nothing in here is about anything but the "enrollment".