$stmt = $conn->prepare("INSERT INTO chatbox (username, message)
VALUES (:username, :message)");
$username = $_POST['username'];
$message = $_POST['message'];
Nowhere here. Always try to put the "raw" (see below what I mean by "raw") data into your database. Only use htmlspecialchars when you want to show the data from your database.
"raw" as in sanitized and safe for the database, but not touched in a way that it is a certain format (e.g. HTML)
So in order to use htmlspecialchars correctly, let's say you echo that message after receiving it from the database like that: