While this is possible, it does require significantly more effort on the part of the attacker and there are many more points of failure. So I'm guessing most phishing sites don't actually do that, even though of course some do.
Phishing has been commoditised, the criminals don't write their own pages anymore.
In fact the phishing toolkits have been doing TOTP passthrough/relay for a few years now. For the attacker, it's a nice feature: victim could be using SMS, authenticator app or even an out-of-band delivered token book - they are all captured and passed along equally well.
U2F and FIDO2 with hardware keys are the only realistic safeguards. On the other hand, I do subscribe to the stated problem, because for most people they are a usability snag. The NFC variant has the potential to address this, though: instead of plugging a key in and touching the blinky button, you just wave your keyring next to the device. Too bad NFC readers are not universally available on phones, tablets or laptops.
German banking has ubiquitous qr-mediated second channel - the authenticator (app or physical device) reads a qr code, shows the transaction details on screen and if they match user types back a code from the app (which is based on qr content).
All that is required is that they phish in real-time or automate the attack. These attacks are not uncommon in the wild. MITM’ing three fields in a login page is not much harder than writing two fields to a DB. And it’s basically trivial to do it over the phone.
If you look at the context of the article, you should assume that phishing attack is sophisticated enough and responding to that attack with "you should use 2FA" is missing the point (which is exactly what the author claims).
2FA (at least the simple OTP variants) don't protect against phishing, they just protect against sloppy phishing attempts.