Apple devices with a secure enclave have the ability to attest to their identity, and also attest that keys were generated on a secure enclave (this functionality is very locked down for privacy preservation purposes, but is certainly available to Apple). If Apple is willing to lock out any device shipped without a secure enclave (which would probably be an excessive number of Macs at the moment - the iMac only started shipping with a T2 in the 2020 model, although the iMac Pro did have a T1 earlier than that) then it's absolutely possible to restrict access to actual Apple hardware with no risk of key interception.