The volume master key is encrypted by one or more key protectors. You have a range of key protectors to choose from depending on the machine's configuration and hardware, each can be used to unlock the volume master key independently.
In your configuration above you have two encrypted copies of the volume master key - a TPM key protector, as well as a Numerical Password key protector - a 48-bit recovery password which itself decrypts the volume master key.
Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios.
The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key.
This storage process ensures that the volume master key is never stored unencrypted and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager.
BitLocker Key Management FAQ
When you access a disk protected by BitLocker, such as when starting the computer for the OS volume, BitLocker requests access to the key protector.
For a recovery password key protector, you are required to type it in to the pre-boot environment.
The TPM Key Protector is a special key protector that (a) stores the encryption key inside tamper-resistant non-exportable memory in the chip, and (b) uses the capabilities of the security processor to perform validation of the machine's current configuration before releasing the key from its encrypted memory to the Operating System.
When BitLocker with a TPM key protector is initialised, a validation profile is created in the TPM chip of the machine which includes the readings of a number of Platform Configuration Registers (PCRs). Each PCR represents the state or value of a number of boot-critical components and services. This validation profile is the 'known good' state of the machine.
Each time the machine is booted, the TPM measures these PCRs again. Provided the PCRs match the known-good profile, the TPM releases the key to the Operating System enabling the automatic unlock of the disk and the remainder of the boot process. Additionally, a PIN may need to be inputted to provide additional authentication to the TPM of the user (highly recommended).
If the value of any of these have changed (e.g. the Master Boot Record (MBR) code has been modified by an attacker to display or release the encryption key in the clear), the PCR will have changed when assessed by the TPM during boot, the system is not deemed to be secure and the TPM will not release the key. In this case another key protector is tried - which is often prompting the user to input the recovery password.
Whilst Windows provides a secure by design default configuration, you can change the PCRs that are assessed and read more about the functions of each PCR in the relevant Group Policy settings for BitLocker PCRs:
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Configure TPM platform validation profile (...)
This is fundamentally what stops a malicious user from accessing the volume master key via the TPM.
Further reading: How does the TPM perform integrity measurements on a system?