But you can trick Bob into entering his credentials + using his security key on corp.bank.co.m and then use those credentials + security key interaction to log into corp.bank.com IF the security key interaction is domain agnostic (like you can do with the 2FA codes you get on your phone - if you can trick Bob into entering his password you can trick corp.bank.com into sending Bob a 2FA code which he will also give you).
U2F key interaction is not domain agnostic. That's why it's so good against phishing--it can't be collected by a fake domain to pass through to the real one.
The key requires physical feedback, the user needs to push the button when prompted by the software and that button pushing will only authorize a single authentication.