First I've heard of cloud-init. So I went looking to see how it does provisioning of SSH keys and... it doesn't really. Sure, it will add public keys to the authorized_keys file, but it won't do anything to register each provisioned hosts' public keys anywhere. And here was I hoping for something to do with TPMs or DICE or something. But sadly, no.

It would be a really good thing to integrate something like Safeboot (https://github.com/osresearch/safeboot), which does use TPMs. Safeboot is implemented as Bash scripts using tpm2-tools, which... I'm really not fond of. I'd rather implement the Safeboot protocol or similar from scratch in Rust or Go, or even maybe parts in C and parts in a safe language. But anyways, the idea is to enroll a host given its TPM's EKcert or the system's platform cert (if it has one), and in the process generate credentials for the host that it will be able to fetch upon attestation upon first boot and which only it can decrypt using its TPM, then after that the host can use those credentials as a root of trust with which to acquire any other necessary credentials (if any). E.g., client certificates, Kerberos keys ("keytabs"), TLS server certificates, etc.

Cloud-init isn't about boot process, it's about initial provisioning of a system.

If you need the host's public keys registered somewhere, you can do that using cloud-init, but there's not built-in mechanism. You'd have to write your own script to do so.