Can I leave the device in a USB slot?
Yes. I leave my yubikey nano in 24/7. Used to decrypt my harddrive and passwordless login to my computer.
Then what's keeping me in the same room as I send these "human" requests?
They require physical interaction with the hardware device. Do you even know what a yubikey is?
A hardware device, which can get lost, stolen, or just plain broken
I have it on my keychain, I can't get into my house or car if lost of stolen. Very difficult to break. Why you have a backup. I don't think you noticed that they're talking about using this as a CAPTCHA replacement, not actual authentication. They're effective abusing the fact that this form of authentication cannot be automated or faked. They don't care about anything other than the response is signed by a manufacturer that has proper security keys that can't be easily hacked.
FIDO security keys are essentially PGP or SSH for authentication. When you use the device for the first time or reset the device, a randomly generated public private key pair is created. When you register with a new service, the device sends the public key. When you try to login, the service will send a nonce that gets signed with the private key on your device and the service compares the signature with the original public key that is registered.
Beyond this is that manufacturers can sign your keys. Because your keys are create at the time that you use the device for the first time or reset the device to create a new private key, the manufacturer has to place a signing key on the device that will sign your key. The manufacturer will sign this signing key with their root key. Cloudflare can get the public version of this root key and make sure that your device's key is also rooted back to that key. In this way they can validate that you aren't using just any device, but a device from a trusted manufacturer.
In Cloudflare's case they don't actually care what device you're actually using, just that you're using a device from a trusted manufacturer that makes sure their devices require physical interaction and cannot be easily automated. To boil this down. Cloudflare found an interesting use for any existing authentication process in order to break automation by being able to easily know a human is behind the request. That is all. But yes, a unique identifier is communicated and could be tracked.
We have a equal opportunity Calculus class -- it's fully integrated.