Use a different public key for every site, specify which one in your .ssh/config. Only offer keys for the site(s) they correspond to. Done. This is already best practice, but could easily be improved by simple tools to manage it. You do not also need things like attestation and restriction of backups.