Reported by @gouttegd at gnupg-users:

Second, as you’ll have noticed the Kyber key has been generated without a passphrase ("genkey --no-protection"). If you do want to protect that key, it’s better to do that at the time you generate it (by leaving aside the "--no-protection" parameter), because GnuPG will not allow you to set a passphrase on that key afterwards: if you try the "passwd" command in the key editor, GnuPG will notice that the ECC part is on a token, and will therefore claim that there is no passphrase to change -- ignoring the fact that the Kyber part is on disk (maybe this could be considered a bug, or at least a missing feature; then again all of this is clearly experimental, so this is to be expected.)