From my research, best practice is to not rotate ssh keys and not to move private keys across systems, you’re supposed to ssh-keygen once and use it only on that machine.
If you need access from a different machine, you generate a new key pair.
My question is straightforward:
It it possible to enforce on the server these rules?
The way it would work is that the SSH client sends along with the public key also the “fingerprint” of the machine.
Something tangentially relevant to this happens in reverse already in an SSH setup: if the server has likely changed, then the client is warned of a fingerprint mismatch between previous connections and the about-to-be connection.
PS: with standard tools and without complicating matter too much.