If it is copiable, how would you know if it had been compromised?
My understanding is that backup keys should not be identical for that reason. Let's you revoke and audit use.
As such, having a backup has to be accessible so that you can register it places. There are tricks, but they only work in certain scenarios. Mostly not in the fido use cases.
So that the friend, or someone who steals from the friend can impersonate me?
Proving your identity when you lost your proof of identity is still an unsolved problem if you ask me. At least in general, it seems that there is no one solution that works for everyone.
Then you are going to know that the friend was messing with your hardware key. Better that than finding out they are willing to betray you by stealing from you.