I think you can make a nice zero-knowledge interactive protocol to prove knowledge of an RSA secret key. First, the prover and the verifier jointly agree on a random number m between 1 and n-1. [0] Then the verifier signs that number, and tells the prover the signature. (The signature is d^m mod n.) The verifier verifies the signature, which, critically, is exactly the same as verifying that the signature encrypts to m.

Why is this zero-knowledge? Because the verifier could invent an entire transcript of the protocol without the prover’s help: choose a random signature and encrypt it to generate the “random message”. So the ability to work with the prover to generate random pairs of (message, signature) accomplishes nothing at all except to convince the verifier that the prover knows the secret key.

This, by the way, is one of many footguns involved in using raw RSA: you cannot assume that a private key was used properly just because someone presents the signature of some message. Better signature schemes built on top of RSA avoid this problem.

[0] This is fairly straightforward using cryptographic hashes. The verifier could instead choose freely, but then the protocol isn’t zero-knowledge.

>> I don't think a digital signature is a Zero-Knowledge Proof because someone else could copy and paste the signature and then it would look like they know the key, and because other third parties could check whether the signature was valid or not.

One of us is confused. You can't copy a digital signature in a useful way. Without the message it doesnt mean anything. With the message its proof that the message was signed by someone with the private key.

To meet your second two (arbitrary) requirements, have the signer encrypt the signed message with your public key before sending it to you.

I think even aside from that (which can be solved with challenge-response) digital signatures are typically not ZKPs because the signature itself constitutes information that must be transferred during the proof.