How can one import a PEM private key securely in the browser with Javascript?

Question

I have a broad question about internet security, but if you guys have any implementation tips or even broader observations, they are very appreciated as well.

The requirement I have is to perform some signature on the FE side. They are requiring the FE application to sign some data before shipping it to the BE, where the signature will be validated with a public key.

To perform the signature, FE will be provided with a private key by a Certificate Authority... ... the format of the key will be PKCS#1 PEM text formatted using RSA as a cryptographic alghoritm and SHA256 as hashing algorithm.

My issue is: how do I import the private key with JS without making it traceable/retrievable by a user - even a user that uses the devtools, digs through the code, sets breakpoints and such?

Or, in more direct terms: how does one import an externally generated provided private key with Javascript without revealing the private key to any ill-intentioned user?

I have studied the Web Crypto API a little bit and also considered using JSEncrypt to:

1. import the private key;
2. sign the content;

But in both cases, in order to get my private key to then do the signature, there seems to be a risk of a user getting a look at the PEM and a way to use it himself.

Any word of advice? Any expert tips that you can share? Would you use a specific library or Web Crypto API for the task?

Thanks, Arun.