If you are not careful, you'll enter the random chains of characters into a phishing site.
But a phishing site can't steal your passkey and forward it to the real site, the passkey will just not work with the phishing site if you try using it there, it's locked to the authentic domain.
The domain that the verifier (the site trying to authenticate you) is at is part of the cryptographic process. If the domain doesn't match (ie you're at a phishing site) then the results of the cryptography won't be valid for the actual correct site, only the phishing site (which gets the phishing site nothing it can use).
But a phishing site can't steal your passkey and forward it to the real site, the passkey will just not work with the phishing site if you try using it there, it's locked to the authentic domain.