There are many legitimate situations in which a login domain is changed and a password manager no longer works. So then you manually open the password manager, look for the password, copy+paste, and save the new entry.
How can you be completely confident that this isn't an attacker?
Right. One of the good decisions in WebAuthn is that this type of nonsense simply isn't possible. It's designed so that you can't do this. When the big boss absolutely insists that ourcorp.example must rename to xp4ifis.example because of whatever nonsense, there's nothing to argue about, it won't technically work, it can't be done. Like if they decided it would be better branding if up was down, too bad.
In almost all cases these were just about vanity (e.g. the university where I studied and had some of my first jobs renamed itself and gave every web site new URLs, purely out of vanity, at considerable cost with no benefit) and so when they discover it can't be done technically they just give up and continue to use the old name for authentication, meaning your security posture is intact. In the few other cases you're now going to have to have a conversation with your users about why you broke everything and need to begin over. I sure hope the gain to your organisation was worth it.
In that rare case you just check the URL. Contact the company if it is a high value login. You can also verify by searching for the site and clicking through to see what their webpage offers as ground truth.