Since the passkey is the private key in the private-public pair, if it’s stored on a password manager it can definitely be stolen by malware (if you could have a key logger, you could have something else too). The only solution is to have the passkey (actually private key) reside in hardware or be protected by dedicated hardware.