The most typical end-game is using a HSM-backed cloud product, generating the PK in the HSM (it never leaves), and making calls across the network to the key vault service for signing requests.

This is a hard tradeoff between availability and compliance. If the cloud service goes down or you have an internet issue, you would lose the ability to sign any new tokens. This is a fairly fundamental aspect of infrastructure so it's worth considering if you absolutely must put it across the wire.

TPM

You never have the private key, only the ability to ask something to encrypt/sign something