Provide private key and certificate for android app

My app needs to consume webservice, and I would like to authenticate app against server with certificate.

However, embedding keystore with signed key into package is considered bad practice (and explicitly warned against: https://developer.android.com/google/play/asi) as it can be extracted an decrypted.

I can generate private key with android provided keystore, and use it - but I still need it to be signed in order to verify it on server side.

In ideal case there shall be certificate chain, with trusted root authority and containing metadata of signed app package I could verify on server side.

Or is it somehow possible to use package signature in certificate generation process to prove that self signed certificate originated form untampered package?

from Provide private key and certificate for android app