See also: RFC 9449: OAuth 2.0 Demonstrating Proof of Possession (DPoP)

https://datatracker.ietf.org/doc/html/rfc9449

The spec doesn't say where you store the key material, but you could reasonably put it in a TPM.