Does certbot support integration with HSM provider to get the PVK from?
It seems that the only points in the certificate lifecycle that custom behavior can be implemented
is in the domain validation and the instillation phases (where plugins are supported)
but maybe there is more than that.
Out of interest which platforms are you looking to support? e.g. where would you running certbot. While certbot may not support this other acme clients (such as the one I develop) might be interested in providing this functionality.