[lxgr]

Have you looked into how (whether?) Windows Hello actually checks which app is asking it to perform a private key operation?

On Android, this is tied to the app UID, and on iOS/macOS it's tied (I believe) to the developer team identifier. Hopefully there's a similar mechanism on Windows...?

[briHass]

It doesn't, or at least it doesn't for traditional applications. UWP (store apps) might, but I've never seen it.

To be fair, identifying an app when not delivered through some locked down store mechanism is actually problematic. DPAPI is tied to the user/machine account along with additional entropy provided by the application itself. It would be nice if MS added an option for DPAPI to use a hash of the name blessed by a CA in a valid code signing cert. However, that wouldn't matter in this case, since they had domain admin and could easily manipulate the cert store.

[lxgr]

Self-signed code signing certificates would seem to be a good compromise (like e.g. Android does it).

Even a hash over the executable (+loaded DLLs) would work in a pinch. Breaks app binary updates, but for a “stay logged in and unlock via biometrics“ feature (as opposed to “store this credential forever”), that might be acceptable.