You cannot replace parameters inside strings; parameters themselves are entire strings.
Concatenate the strings in SQL:
query.prepare("SELECT ... WHERE strftime(...) = :year || '-' || :month");
You could also construct the entire string beforehand:
query.prepare("SELECT ... WHERE strftime(...) = :yyyymm");
query.bindValue(":yyyymm", month + "-" + year);