That's generally what you want. If the private key only ever existed in the TPM then you know there aren't any copies in an attacker's hands somewhere (ignoring hardware vulnerabilities). But if you copy a key into the TPM, there could have been malware that stole a copy of the key beforehand.