The problem is rather the opposite. The keys are secure and their sale is decentralized, which gives limited control over them. People generate the keys with stolen credit cards, and then resell them. The postal devs are basically admitting they are giving up trying to actually go after the thieves, but it is genuinely hard to figure out which keys are legit and which are stolen. All your proposing is to make it impossible to revoke a key even if you know it's illegal.
The actual way to prevent this theft would be to forbid merchants from generating keys at all, and go to a fully centralized model like Steam and Epic generally use.