and the ability to utilize a known key to access it, to verify legitimacy.
I'm not 100% certain I understand. But here are some basic guidelines to keep in mind, which may or may not be relevant to your plans.
You should not put any copy of your key.pem file on hardware or software you distribute to customers or the general public. Your key.pem file should be kept secret. Many plenty of backup copies, but keep them all secret.
The key.pem file is used to create the .ehex file when you compile. It is not used to actually load the .ehex file onto Teensy. So you could verify whether a locked Teensy has your key by loading one of your .ehex files onto it. But consider if someone wanted to create an imposter device, and they're willing to go to considerable effort to do so. They could make a USB device that isn't even Teensy, but pretends to be. It could receive all your .ehex file but just ignore the data and lie to you that wrote it into flash memory.
In other words, the process of loading a .ehex file is designed for security of only specific goals. These are the main 2 goals:
1: Confidentiality of the original .hex data
2: Prevent booting or running if the .ehex uses the wrong key
Like so many security protocols, other goals aren't necessarily secure. Teensy Loader does have some checking to prevent writing incompatible .ehex files, but those checks are not designed for strong security. The confirmation of data written isn't done with a secure protocol. Anyone (with significant effort) could craft software that writes the wrong .ehex file to a locked Teensy. They could also create a non-Teensy device that pretends to be Teensy and says .ehex data was written. The process of loading the .ehex file isn't secured. A wrong .ehex can be loaded, but it won't be able to boot.
What an imposter device can't do (or would need to break strong encryption or somehow steal your key to accomplish) is actually running your .ehex program, or extracting the original .hex data from it. Those are the only 2 things lockable Teensy really secures.
As I tried to explain earlier, if you want to design this well, you should strive to create a program which runs on Teensy and can't be easily impersonated. Lockable Teensy's 2 security goals gives you the platform to keep attackers from gaining the unencrypted code. It also prevents them from being able to run it on any other Teensy, and they are prevented from running any program of their making on your lockable Teensy.
There are many ways you could do this, but as far as I know, to have good security for your goal you really need 2 way communication. You'll need to transmit a message of unique data, and have your .ehex code compute an answer that can't be easily guessed. It's important to use unique data, so an attacker who seeks to impersonate your ID hardware can't simply capture the communication on the USB cable and replay it later to impersonate your device.