Having the tokens on the computer with the KeePass file feels a bit too close to home for me. I can heartily recommend a YubiKey for those, which plugs in to USB and you can use their very nice TOTP desktop app.

You can always keep the totp in a separate keepassxc database. It's not a separate device but unless your threat involves targeted machine access, it's a separate factor.

Keepass2android supports totp as well, and can lock the kdbx secret with the Android secret storage system giving you a little bit of trade-off there if you are interested.

Edit, dug up this post of mine which talks about totp strategies among other things. https://news.ycombinator.com/item?id=15421444

Oh huh, I use keepass2android but didn't know it had TOTP support, thank you!