If I log in as a user without a passwordless webauthn token configured, the login flow goes username → password → OTP as expected, but if I log in as a user with a passwordless webauthn token configured, I don’t get a “Try another way” link at the security token prompt, so I can’t fall back to password+OTP
I don’t think you are doing anything wrong but this seems to be behavior by design. I have the feeling that “Password Form” is just no alternative to WebAuthn authenticator. I have the same issue and would like to use the same Authentication Flow you are showing.
I found a workaround in the meantime by switching the order of “Password Form” and “OTP Form” which is not really nice and desired but at least it works and gives you the link “Try Another Way”.