I have a feeling that ssh-agent and a technique named "agent forwarding" may be a way you can prevent your users from putting private keys on your ssh (bastion?) hosts. I haven't used this myself, but here's my understanding of how it works:
An ssh agent runs on the user's computer while they have an ssh session open, and the agent caches the user's private key. The ssh client on their computer gets their private key from the agent.
After the user connects to your ssh host, the ssh config makes the ssh client run its own agent, which uses a tunnel back to their computer's agent to fetch the private key and cache it in memory. Their ssh sessions from your ssh server to other machines use the private key from the agent. Nothing is saved to disk on your ssh servers.
- An ssh agent runs on the user's home computer while they have an ssh session open, and the agent caches the user's private key. When they ssh to your server, their ssh client asks the agent to answer the challenge for the key, and they log into your server.
- The local ssh config on your server tells ssh clients to tunnel key challenges back through the ssh connection from their home computer to their ssh client (and then to their agent).
- When they ssh from your ssh host to other servers, the key challenges go back to their home computer and are answered by their agent. No need for private keys on your servers.
I saw a reference to a guide at this URL: https://docs.github.com/en/developers/overview/using-ssh-agent-forwarding, but I've only skimmed through it quickly. There's a link there to a guide by Steve Friedl with good details.
This may not be enough to prevent your people from invoking ssh -i id_my_sysadmin_hates_this_keysymcbean_hates_this_key_file, but perhaps most of them will stop if they have an automatic way to use their key on your ssh server.