To try to add some explanation here: the server doesn't send the fingerprint. The server sends the public key, your computer just shows a fingerprint because it's more human-friendly and sufficiently secure.

If they forward the real key, so it matches the fingerprint, and you use it, they can't MITM the request because they can't read the contents.

Ah thanks for the explanation. It’s been a long long time since I’ve delved this deeply into the topic.