TPM can solve the "neither side gets info about who you are or where it's used" part, but it seems like that might mean any TPM leak also means a single token can be used infinitely without detection, yea? Otherwise it's uniquely identifying, which wouldn't be even slightly private.