It sounds like you are looking for what is often called mutual authentication. Normally when using HTTPS, the server presents a certificate to the client to prove who it is. With mutual authentication, the client also has to prove who it is to the server, again often using a certificate based method. This is not necessarily easy to set up - you would need to set up your own PKI. You would not need the root certificate to be commercially signed to prevent warnings if you install the public part of the signing certificate on all your clients.
Since cloning the SD card would copy any certificates you might want to tie in some other identification factor too. Perhaps the client could provide its MAC or the serial number from /proc/cpuinfo, and you check against a white-list on the server. None of these is a perfect mechanism, but the more you layer together the harder it is to mimic all of them.
In terms of tamper detection, the main two (free) tools for Linux are Tripwire and OSSEC. See https://www.upguard.com/articles/tripwi ... ht-for-you
for a comparison.