This is not a bug. The attack that is being prevented here is the case where someone would steal your password and log into your account from their own machine.
So in this case, two factor helps us establish trust by proving that it is in fact you who is trying to log into iCloud and not some attacker who stole only your password. The ways in which we can achieve this can be classified as "something you have", "something you are" and "something you know".
In this case, your password is "something you know". Your iPhone and Mac are both "something you have". Remember, your Mac is signed into iCloud already and is trusted by Apple on system level.
If someone did steal your password (the something you know), they would still require access to either your Mac OR your iPhone. These are both "something you have". As stated previously, your Mac is already trusted by Apple, so presenting this two factor code on your Mac is no less secure than presenting it on your iPhone. For an attack to be successful, the attacker would have to steal your password as well as obtain access to one of your trusted devices (your Mac or iPhone). So two factor is just as valid being presented on your phone as on your Mac