Re: Isn't this...
"Firstly every TPM has a unique RSA key burned into the module. ..."
Who says that it's actually unique?
The keys are signed by the manufacturer, trust resides with the manufacturer.
How do you know that this key wasn't copied to some three letter agency?
I suspect that you're not understanding what the key is used for. The public (EKpub) key is, like all public keys, intended to be handed to anyone. It is used to affirm that an identified entity is associated with a particular key. If someone else has the private and public keys and asserts that they are the entity associated with that key and has a cloned TPM with the same key then at the time of attestation either - the key will already the registered and the entity will have to explain what they are doing with someone else's key or the key will be unregistered and they will be permitted to register. Whoopee they now have a key associated with their (real or forged) ID that identifies them uniquely, or they don't.
The key does not permit them to access someone else's system or intercept their traffic because the certs created with those keys are also unique. Also when that key is registered the fault condition of a duplicate EK will be detected. Something is clearly wrong and the CA will not issue a certificate.
If someone has duplicated your key and uses it to make a cert request using your credentials then the cert they pay for will be delivered to you. That would give you a bit of a hint that something is wrong.
What if the laser or power supply pulses during burning can be detected next door?
<shrug> The burning is done by the chip manufacturer. You would have to be able to identify which TPM was being burned and follow it through the supply chain to its destination. Pointless and extremely unlikely given how many TPMs will be burned in a session.
Your questions sound like tinfoil helmet stuff.