This is interesting. The fact that they were able to use BGP to access a domain-validated certificate is pretty disconcerting.
The protections from TLS via PKI are, imho, “good enough.” In that for most use cases the protect the privacy of the client traffic. But for doing more sensitive operations, you always increase the surface area. There should be at least a 3-pronged validation approach to prevent this sort of compromise (similar to how Stripe requires verification from your server and directly from the client to process a request).