I notice that in the demo you are checking the API with every keystroke above 5 characters. I think the API should only be called after the minimum number of characters is reached, and only after the typing is finished (so debounce to .3s or so).
I'd suggest 8 for the minimum number of characters to check, as that's the absolute low end of password length among all the security standards and recommendations I've ever read. It seems that there just isn't any such thing as a secure 6-character password.
As for the debounce: AFAIK k-anon protects against disclosing passwords by transmitting only a portion of the hash; but if you transmit that portion on each keystroke, wouldn't that be pretty easy for a bad actor (e.g. MITM, Evil Troy Hunt, etc.) to reconstruct? Even starting with five characters, that's still only tens of billions of possibilities for the most common characters, which means it would be possible for an attacker to start out with a sha1 hashes for all common combos of 5 characters, and then add a character and compare each subsequent hash. I'm not sure about this, but that is why I'm thinking that debouncing is desirable / necessary.