Not quite. aws-vault still reads the secret out of the backend to create session credentials. You likewise could read the backend directly to get the credentials (assuming you are authenticated).
With the secret stored in a tpm it cannot be extracted. Instead you ask the tpm execute the hmac() function on your behalf with the secret only it can read.
At least on MacOS it uses keychain. There are other storage backends for other platforms.