Passkey is some sort of specific unique key to a device allowing to use a pin on a device instead of the password. But which won't work on another device.
Now I don't know if that key can be stolen or not, or if it's really more secure or not, as people have really unsecure pins.
Most hardware today has what's called a TPM. It's a physical hardware chip that can store certificates in a way that can't be extracted.
It's way more secure than someone stealing a cer file.
I know what TPM is, am not talking out of my ass here. But chain is only as strong as its weakest link, which is backup certificates somewhere protected by a pin or simple password. If it still requires password to access certificate, than you have moved issues from one place to another. What good is iron front door when you leave your windows open.