tldr: preventing MITM attacks requires setting up an authentication workflow. Without this, you have no guarantees about who you're speaking to.
For example, TLS 1.3 does this by (after performing ephemeral DH key exchange) signing the conversation transcript with the server's long term identity key. After this the client is sure that they are speaking to the correct server, but the server has no authenticity guarantees about the client.
The only way is to use another channel for the Short Authentication String (SAS) (check digits in my case). I recommend that people SMS them the check digits, and exchange the DH offers by email.
For example, TLS 1.3 does this by (after performing ephemeral DH key exchange) signing the conversation transcript with the server's long term identity key. After this the client is sure that they are speaking to the correct server, but the server has no authenticity guarantees about the client.