Yeah this would be my instinct even if someone somehow got a leaked TPM root EK and spoofed it with a bootkit. Your timings/latency/variance are still going to be different from a hardware chip, almost certainly. Yes you might be able to measure this and attempt to replay it but that gets hard, then you have to figure out e.g. how can you pin your hypervisor/mock TPM to a core so timings don't vary under load, etc. It's getting measurably harder to write good cheating software at this point.