Assuming valid FIDO2/U2F implementation and same origin policy, this shouldn't be an issue. A browser will enforce that the APP-ID/domain name submitted to the token is the same as the origin requesting it. So in order to be tricked into signing into your bank, it would actually have to be your bank requesting the authentication. HTTPS is also a requirement.