Do you mean the private ECC key? I don't know the specific details of the system, such as if or when a specific device key used for iCloud enrollment can be rotated. (I have no specific familiarity with Apple's iCloud or device management code, I'm just familiar with publicly known details of the T2, and also familiar with the macOS/iPhone Keychain APIs for generating and using T2 keys.)
But in case it wasn't clear: it's not an API key, but a public/private ECC P-256 key pair used for ECDSA signing. Apple only knows the public key (it doesn't much matter if the whole world knows the public key), whereas the private key never leaves the T2 chip. If any secrets have been exfiltrated from the T2 enclave there are bigger problems at hand, and generating a new key pair would be useless before fixing those problems.
But in case it wasn't clear: it's not an API key, but a public/private ECC P-256 key pair used for ECDSA signing. Apple only knows the public key (it doesn't much matter if the whole world knows the public key), whereas the private key never leaves the T2 chip. If any secrets have been exfiltrated from the T2 enclave there are bigger problems at hand, and generating a new key pair would be useless before fixing those problems.