Never cancel your credit or debit cards until you are 100% positive you (and no one else) has access to your AppleID.
If somehow the thief has discovered your unlock code, they can change your AppleID password easily in the iOS device, and it will happen instantly, the millisecond the device has Internet access. When the PW change routine runs, it turns off Find My . . . instantly. Before it ever reports the location.
Since Apple only gives you one e-mail address to send the Find My reports, if you are using your AppleID e-mail to receive those reports, you won’t be able to use Apple Mail to get them or read them once your password has been changed.
Set up your AppleID Mail to forward all incoming messages to a mailbox that you will always be able to access, like on Gmail.com.
You are going to need the credit card on file with Apple to reset your password for your AppleID. If you cancel the card account, Apple cannot verify the card, and you go into the giant mysterious black pyramid, where you will wait weeks to get back into your AppleID account.
Been there, done that. I keep all my passwords on 1Password. And no where else. Every password is complex and unique. I do not allow any other system, be it macOS, iOS, Keychain, or browsers to save my passwords. They are all safe and encrypted in 1Password.
Your phone is gone, sorry to say. Most of the time, the phone itself is useless. The IMEI cannot be registered except in a few countries in Africa. The thieves are pros, they sell it fast to a fence for very little money, who has a chop shop to extract all the parts, that are then sold to the independent repair shops for much less than Apple charges.
Apple is doing its best to put all third-party repair shops out of business. You may think this is a good idea or that it reeks of monopoly control of who can fix what belongs to you. Read more here:
This just make parts from stolen Apple products even more valuable.