Could link it to a yubikey via pam.d so you need a fingerpress to authenticate.
replyPhysical attestations are hard to solve, I think it would be nice if all TPMs in laptops had this. Then the problem becomes how do you automate stuff that needs to be done.
replyAnd then the moment you authenticate, the fake sudo still executes its payload.
replyYubikeys do not fix this issue.