How? A phishing site can relay any of this information by acting as a client to the real site while prompting the end user for the requested credentials.
The only way FIDO could prevent this would be to make the credentials dependent on the URL in the browser, but I don't see where it does this.
With FIDO, the user doesn't manually enter a 2FA token into a form field. Instead they press a button or something which directly transmits the token over SSL to the authentication server.
MITM is still possible, but there are other ways to combat that, such as TLS Channel IDs [1] or Bearer Tokens [2].
The only way FIDO could prevent this would be to make the credentials dependent on the URL in the browser, but I don't see where it does this.