The key is generated inside the card, but the key generation is initiated via your computer (but in fact, initiated by the card management system). So no, you can not intercept any keys in that process.
What I did not like about the process in Poland was that the key generation was done using a computer that wasn't mine. How do I know if the key was really generated on the card, rather than on the PC (and then a copy uploaded to the card)?
I have to trust the companies that provide the issuing services, which I do not like.
I don't know about your particular device but Yubikeys have remote attestation feature so that you (or anyone else) can validate that a given key was generated on the card, not imported (assuming you trust Yubico). This works only in PIV applet. Source: https://developers.yubico.com/yubico-piv-tool/Attestation.ht...
Thanks for correcting me, I vaguely remember external key generation being possible/done but google is being useless at helping me find where I read about it.
External key generation could still make sense as Estonian ID card were suspectible to the Infineon bug. One workaround to that bug would be generating the key in software and putting it on the card. (I'm not saying that's the case, but merely that it may make sense.)
I have to trust the companies that provide the issuing services, which I do not like.