Band-Aid achieved. But it shouldn't be possible to do this in the first place--it's a security hole and one that could have been expected. Maybe have iTunes Connect only accept submissions from an unmodified Xcode?
Impossible unless you stop allowing developers to compile code using the command line and merge the command-line tools into the main Xcode binary itself. Otherwise, a fake Xcode can be as simple as interposing another binary that injects code into the source code on its way to the compiler and adds an extra static library to any final link line.
Yes, ostensibly Apple could make Xcode itself do some sort of checks to ensure that the binaries are unmodified, but someone could just binary-patch in a new signature, and it isn't hard to search a binary for a specific sequence of bytes. It is rather hard to hide such checks in a way that can't be thwarted. Provably impossible, in fact, though you can take steps to make it harder. Basically, it's the DRM problem all over again.
If the Xcode binary isn't signed by Apple anyway, and if developers didn't notice that, then there's very little Apple can usefully do to make it more obvious that the software is counterfeit beyond what they have already done.