Very dubious. The trick to phishing is that humans are easily confused about what's going on, and WebAuthn recruits the browser to fix that completely. Your browser isn't confused, the browser knows it is talking to fakebank.example because that's the DNS name which is its business, even if this looks exactly like the Real Bank web site, perfect to the pixel and even fakes the browser chrome to have a URL bar that says realbank.example as you expected.
I don't see bank authentication apps helping here. It's very easy to accidentally reassure the poor humans everything is fine when they're being robbed, because the authentication part seemed to work.
I'm somebody who really cares about and would like to think they understand security very much, and I don't think it's strictly worse at all.
One of the things banks have an ongoing problem with is insider facilitated crime. Which means secrets are a big problem, because the bank (and thus, crooked staff working for the bank) know those secrets. Most of these PSD2 "compliant" solutions rely on secrets, and so are vulnerable to bank insiders. FIDO avoids that because it doesn't rely on secrets†.
†Technically a typical Security Key has a "secret" key [typically 256-bit AES] baked inside it, but a better word would be symmetric rather than secret, there is no other copy of that symmetric key, so it isn't functionally secret.