First, I’m not expert.

My understanding is if someone reflash your devices you can detect it using your external security devices which utilize HOTP, TOTP & PGP.

Maybe this also good resource for you: https://tech.michaelaltfield.net/2023/02/16/evil-maid-heads-pureboot/

Coreboot Heads might interest you: https://osresearch.net/

I believe you might be correct: there is no perfect on-device solution to protect against all hardware level attacks.

Heads attempts to solve the problem by using an external security key device to validate the hardware for you. This way, the challenge is easier: reducing the problem to protecting one small USB device instead of a whole computer.