No, it is not like Docker. You can treat an LXC container pretty much like a VM in most instances, including firewall rules. To answer the question, you can use fail2ban just like you had done in your VM, meaning you can run it inside the LXC container, where fail2ban can change the firewall rules of that container as it sees fit.
I’m exclusively running unprivileged LXC containers and haven’t had any issues regarding the firewall, neither with iptables nor nftables.