Ultimately, it's all just instructions being sent to your computer to be executed, and "your computer" is whatever you say it is. Everything (e.g. Intel SGX et al) can be emulated in a sandbox. That's how modern DRM is defeated.
The only way this attack can even be avoided in principle is to restrict distribution of the DRM TPM chip — ala Nintendo's NES CIC lockout chip that never left Nintendo's hands except in the form of finished first-party-assembled game cartridges. But even that only prevents mass production and sale of devices that defeat your DRM; any sufficiently motivated attacker can still buy a legitimate device from you that includes the DRM TPM chip, rip the DRM TPM chip out, and feed it to their evil-demon hardware to enable it to faithfully attest a lie over the network.
In short: if this was truly a practical additional layer of defense, there'd be tons of use-cases for it — game consoles, set-top boxes, kiosk computing (e.g. ATMs), etc.
But you don't see anyone using DRM TPM chips for these systems, because it's not a practical additional layer of defense: such chips would increase BOM for these systems, while only defending against attacks that weaker defenses (namely software DRM, or programmable-firmware DRM like Intel SGX) already defend against; and while not doing anything more to stop the truly motivated attackers than current layers of defense already do — as your Netflix pirate media-scraping bots, your EVE Online gold-farming bots, etc. all have the monetary incentive and capital to invest to build exactly these evil-demon systems.