How can I enforce that an SSH private key has a passphrase?

No. You can't enforce on the server side that the key has passphrase. Key is always on the client side and the server sees only the signature of challenge and public key. Certificates (aka signed keys) will not help either, because the public keys are signed.

I propose you to have a look at some kind of two factor authentication or smart cards if you want to go this way in security.