Yes using TPM protected TSS2 keys would tie them to your actual machine since only that TPM can internally decrypt them and use them without then being accessible outside. The TPM could be a discrete chip or a software/virtual one.

For instance OpenSSL has an engine/provider for tpm2-tss however I think the software using the keys needs to be engine-aware.

Create an image with two pictures side by side using ffmpeg. Why bother install an app for that?