Some password managers do offer the option of challenge-response from a hardware key, but technically speaking the password manager vault file can be considered "something you have" so long as you store it securely, like your SSH private key.
The problem is that the vault file can be copied, which means this is now "something you and your attacker have". Even worse, it's not just the (probably encrypted) vault file: if your computer ever gets compromised, it is trivial to wait until you unlock the vault, at which point they can extract the now-plaintext TOTP secrets.
The way I understand it, the "something you have" factor is something which is intrinsically only a single item: either you have it, or you do not. If it can be copied, one of the copies could be compromised without you noticing - and because it's a copy you wouldn't even be able to revoke it without changing your own token too.
Yes, it's something you have, but it's not a second factor if you're storing your (randomized) password in the same place. If you do that it's just two redundant checks that you have access to the same single password manager vault.
