Check how Play Integrity works today (DEVICE and STRONG integrities) and how it uses a non-extractable hardware key fused into the chip or security processor. Or read the GrapheneOS attestation guide and their example code. It's un-spoofable hardware attestation.
The fact that you can make it pass in some cases using Magisk and so on is because it's spoofing an older device (launched before Android 8) without hardware-bound keys and Google is deliberately allowing that in order not to blacklist the genuine users.
However, once Google decides that the collateral damage is tolerable and those devices should no longer pass Play Integrity, then it's game over. You can't spoof any newer stuff, as you can't produce the desired signature -- only the hardware can do it and the hardware won't do it.
The only way would be if the manufacturer screwed up and it's possible to run unsigned code (or signed by a different key) and maintain a pristine bootloader, or if the hardware key leaks somehow. In either case, the key is per device so Google is always free to blacklist that device if it really wants to. (Verification of the signatures is always done off-device, through Google's servers.)
The fact that you can make it pass in some cases using Magisk and so on is because it's spoofing an older device (launched before Android 8) without hardware-bound keys and Google is deliberately allowing that in order not to blacklist the genuine users.
However, once Google decides that the collateral damage is tolerable and those devices should no longer pass Play Integrity, then it's game over. You can't spoof any newer stuff, as you can't produce the desired signature -- only the hardware can do it and the hardware won't do it.
The only way would be if the manufacturer screwed up and it's possible to run unsigned code (or signed by a different key) and maintain a pristine bootloader, or if the hardware key leaks somehow. In either case, the key is per device so Google is always free to blacklist that device if it really wants to. (Verification of the signatures is always done off-device, through Google's servers.)