I had an idea that I thought would work to prevent covenants.

There exist chameleon hash functions... these are hash functions which are parametrized by a public key and are cryptographically strong collision resistant hashes to anyone who doesn't know the secret corresponding to the public key. ... but someone who knows the secret can trivially compute collisions.

My thought was that if you had the hash over the transaction outputs pass through a chameleon hash then you could tell the covenant you were using one set of outputs, but then substitute another set after obtaining your signature. But it would still be secure because no one else could make this substitution.

Unfortunately it seems like it wouldn't work: The covenant could force you to use a nothing up my sleeve number as the public key for the hash, e.g. like the txid of the coin you are spending.