Understanding a TLS 1.3 0-RTT replay attack
You aren't missing that much. I think this cloudflare article near the end outlines possible attack vectors and scenarios quite nicely. Depending on the security of the networks and web apps, 0-RTT may not be responded to pending what kind of parameters or certain types of headers. If an attacker has already figured out how to insert himself and gain visibility to what he would want to replay on a vulnerable host, there are worse risks elsewhere to look out for first. Something like a 0-RTT replay that has parameters and an authenticated session cookie and a HTTP downgrade could be plausible. But in the pentester's world, that's alot of work.