However as I understand the protocol the very first step of the TLS 1.3 handshake, the nonce generation, can be MiTMed sufficiently to allow an attacker to determine the target domain. It's only in the next step that server and client do authentication.

The attacker can't trivially continue the handshake beyond that point but that might give enough info to log the attempt and terminate the connection.

Or just connect up a second connection and see what certificate they send back.

That's nice to hear. I stand corrected, thank you.