Command line and impersonation
Two different things get lumped together here, and the distinction matters.
Paths that inherit the Kerberos TGT are fine. Sign in with WHfB, and PowerShell remoting over Kerberos rides on the resulting ticket without a password. Nobody should claim otherwise.
Paths that require a supplied credential are the problem: runas, runas /netonly, psexec with explicit credentials, MMC and RSAT tools launched as a different user, scheduled tasks running as a user with a stored password. These are the workhorses of operations.
There is a documented WHfB answer here, and it deserves credit: dual enrolment, with a certificate deployed into the privileged account's Hello container, gives you passwordless run-as and passwordless RDP with a PIN instead of a typed password. It works. It also costs AD CS, a certificate template, per-user certificates and a dual-enrolment workflow, and it has documented edges, including that a certificate deployed via Intune combined with User Account Control set to prompt for credentials on the secure desktop breaks the run as feature outright.
So the honest claim is not that WHfB cannot cover these paths. It is that covering them means rebuilding the certificate infrastructure that cloud Kerberos trust was recommended to let you avoid, and then maintaining it alongside the key-trust deployment you already have.