Microsoft's "PIN" is not a four-number digit code, it's an arbitrary-length device passphrase that can include all symbols found on your keyboard. The only reason they don't call it a password is because you already have a (global) account password, and the PIN only serves to unlock that device. If you have two devices, you can have a different PIN for both, that will still log you into the same account.
Critically they don't know the PIN and so can't lose it. When you use your global Microsoft account login they know the password. Now, if they're careful they immediately forget it after verifying it, and it's hard to steal the authentication credentials they keep, and so on. But you're relying on them being unfailingly careful there. Whereas, for the PIN even if Microsoft screws up they don't know it and can't lose it.
FIDO 2FA is safer because both factors stay where you are, the FIDO device promises it checked the other factor. The FIDO device is something you have, while your other factor (like a PIN, something you know, or a fingerprint, something you are) it vouches for by signing a bitflag labelled UV User Verified. This flag says, I promise I verified this is the same human that we originally enrolled. Which human? Not something the FIDO device knows or cares about and so it can't tell the Relying Party anything they didn't already tell it about who was enrolled. How did it check? Not revealed to the Relying Party.
