How do you secure IOT devices (e.g. ESP32) out in the field that is physically accessible, given that their SSL client certificate can be copied and used for impersonation and/or publishing wrong data to the server/broker? Alternatively, is there a way of knowing if the IoT client has been compromised?
The best way to secure the hardware is by adding an embedded security module, and if not possible an external one.
The range of solutions range from embedded modules such as
-Integrated Circuit modules like the https://www.microchip.com/wwwproducts/en/ATECC508A which might be compatible with the module you specified
-to more general purpose hardware secured USB stick, like here: https://www.techradar.com/news/best-secure-drives
-to a secured local storage module on the IOT device
-to a dedicated Hardware Security Module (HSM)
All pending on your specific application and needs.