The cert would be signed by B0fA.com, true. The user types BofA.com, true. The MITM can't present a signed cert for BofA.com, true.
The thing is, if I've got evil software on the WiFi hotspot, I recognize you want to go to BofA.com and before the TLS handshake, I redirect the browser to B0fA.com. These redirections happen all the time in legit situations, so that isn't considered nefarious. So yes, the user first typed BofA, but they end up with a secure connection to B0fA and there's no alert presented because B0fA has a signed cert. If the user sees a legit looking login page and doesn't notice the difference in the domain name, they're pwnd.
There's probably a better or more technical description of this attack out there on the internet somewhere, but I'm sure it's a standard attack vector.
Perhaps if you explain what information is in a certificate, how it is signed, and how it is validated you’d realize your attack wont work. TLS was designed under the assumption that mitm had complete control over the dialog and your attack is among the ones covered.