[scherlock]

"Hi, this is Bob from blah support, we need to confirm your account is a correct. When prompted please confirm to give us access". if someone is dumb enough to hand out a password, they are dumb enough to click approve. Phishing is a social attack, not a technical attack.

[tadfisher]

Your passkey provider will simply refuse to show that it has a credential for Bob's phishing convincing phishing site. RP challenges are bound to a domain for this purpose.

[bastawhiz]

Your browser won't auth you with a key meant for a site you're not on. There's no mechanism for what you're describing.