What if I buy one real device and clone the serial number? This has been solved more than a decade ago but it requires hardware with secure storage to maintain a private key. Some centralized service holds the public key and can verify the device by asking it to sign something with the private key. This is basically every cell phone, quality IoT device, etc. The private key is installed in the factory, maybe provided by a secure connection back to the centralized service. Hardware features lock that key in place preventing it from being read out without a ton of work (connections are literally burned open with overcurrent inside the IC).

Since the key is unique to the device, it can easily be disavowed in the central database if a device does become compromised. Anything less than this is probably a few hours from being completely broken. And this scheme can be broken by non-state actors, especially if the private key storage is naively or poorly implemented. Many MCUs have multiple levels of readout protection and it can be easy to misconfigure. A single mistake in memory mapping could expose information on external interfaces. And then you’re trying to do all of this in China, on the cheap. Pack a lunch.