I am still busy researching this and so far I am not sure if I can buy a token device like a yubi-key or rsa-token-id or anything else and use the secret of that device for that specific user instead of relying on the one generated by generateBase32Secret() ?

I'm looking to add 2FA to a java-based web app and the option to use i.e. Google Auth or hardware tokens for different users.

This is old but the mechanisms of the hardware keys are more complex that that. I suspect that those hardware keys have whitepapers and SDKs for using the keys generated by them but they aren't going to be compatible with this system unfortunately.