Sandboxes are hardly watertight, especially considering the hardware vulnerabilities that seem to be pouring in in the last years. And the phone have taken over the space for useless applications from the desktop. Most desktops today only have a browser and some office application installed.
But that is besides the point, because a hardware token is almost impervious to attack. One would have to engineer a very specific bit of software or hardware and have physical access to this token. Requiring a phone app to confirm a payment made on your desktop just increases the attack vector.
>Most desktops today only have a browser and some office application installed.
The desktops I see on a daily basis don't have only a browser and office application installed.
I'm not sure which phone or OS you are using, but almost all smartphones have some kind of TPM or TEE nowadays. FWIW, the banking app on my Android phone makes use of that through the KeyChain API.
But that is besides the point, because a hardware token is almost impervious to attack. One would have to engineer a very specific bit of software or hardware and have physical access to this token. Requiring a phone app to confirm a payment made on your desktop just increases the attack vector.