Similar to the recommendations to use a YubiKey/hardware token, SeKey on a Mac lets you use a key generated in the Secure Enclave in an unexportable form (https://github.com/sekey/sekey)
Secretive also does this, and works on any Mac with the T2. I use it for all my ssh keys these days. It’s super slick!