I thought a solution to this would be to use a physical smartcard to store the certificate(perhaps on your government ID). if the protocol is a challenge/response and the private key never leaves the card it would make proxying without the physical card more difficult.

Yeah great idea, having to get out your government ID every time you want to use a website.

If the smart cards required some human input to perform a signature maybe this could work. Otherwise there is nothing stopping someone from selling use of their card via some proxy software