That's not meaningfully more difficult than tricking you into revealing your key file password.
>Instead of on each sign operation.
But from your video each sign operation also requires a touchid prompt?
No, but that's meaningfully more difficult to do without an intervention from the user. Say your computer is infected, the malware won't silently do it: it will have to interact with you.
And an important part is that you apparently don't have to make the key exportable:
> So if that's in your threat model don't make the key exportable.
Which now makes it meaningfully more difficult to extract.
I would personally not export it, just like I don't export (and can't export) the key from a security key. That's a feature.
MacOS is so needy about all kinds of fingerprint/password-related things (and has no context of secure desktop) that it is trivial for malware to simulate and no way for the user to tell whether it's genuine, so it's not a real barrier at all.
But yeh the malware only needs to trick you to hit TouchID once. Instead of on each sign operation. So if that's in your threat model don't make the key exportable.