SciPHRHSMs.
A hardware security module (HSM) is built to store private keys and keep them from ever leaving the device. Your Mac and iPhone use one for Touch ID and Face ID, which is why biometric data never leaves the phone.
Accessing the keys once they are stored safely is oftentimes the "issue." On-prem HSMs pose typical on-prem constraints.
Cloud HSMs reduce that friction, but at the cost of latency, cost, and reliance on vendor software.
In both cases, the hardware secures where a key lives, but not how or when it's used.
Related