"yubikey is supposed to be always carried by its owner, so that studying its power consumption is not practical for the adversary."
How is that a valid assumption? The YubiKey will be plugged into a device that the attackers might have compromised. They may instrument that device to do power analysis of it any time it's plugged in. On top of any direct attacks that are available.
Just a guess: if it's carried around and powered off and on, it does not have a steady temperature, leading to a lot of additional noise in power consumption (as opposed to repeatedly testing power consumption of a desktop CPU, which can be done in short intervals at nearly the same environmental conditions).
How is that a valid assumption? The YubiKey will be plugged into a device that the attackers might have compromised. They may instrument that device to do power analysis of it any time it's plugged in. On top of any direct attacks that are available.