Via the U2F protocol, the browser embeds the URL and optionally the TLS Channel ID in the challenge, so a phishing website asking for a challenge will produce the wrong challenge (and response).
If the Channel ID is included it stops MITM completely.
In fact doing the authentication inside the secure channel in a way that depends on the key that is used by such channel is the best way to perform mutual authentication. In MitM case the authentication will just fail and passive attackers cannot learn anything about the identities used for authentication.
Both SSH2 and many Windows-related protocols work in exactly this way.