Protect secret key on sender

Question

Context

In our game company we're choosing between different leaderboard service providers and I'm trying to decide if using one of them with a set structure will be "safe-enough".

I understand that "safe-enough" is very subjective, so I'm trying to understand the vulnerabilities of the system and how to improve on it if possible.

Additionally, a library to submit the scores has to be written (a business decision) on a C# DLL.

Data

This is the JSON that's being sent, through HTTPS, to the server to submit a score:

{
    'playerId': '123',
    'name': 'testy t',
    'score': 1000,
    'signature': 'HMAC SHA512 of leaderboardId + playerId + score with the boards secret key as the key'
}

Possible vulnerabilities

The service used is easy to know for the url address and the api is publicly available on www.leaderboards.io, so the attackers can see how the HMAC message is composed, but will lack the board's secret key.

The way that I see it, everything comes down to the secret key used for encrypting the message, so once the attacker obtains the secret key, fake results will be submited and we won't be able to do anything to prevent it (as changing the private key on an update will break the leaderboards for the rest of players that don't update).

The DLL library's API could ask for the private key on a method. This looks vulnerable to replacing the lib (a C# DLL) with a fake library to get the private key. I've thought of saving this to a file, with some kind of encryption, so the library gets the file's content and the attacker has to decrypt the file first to get it.

Questions

Does the HMAC has any vulnerability that I've ommitted?
Does HTTPS help in anyway I've ommitted (like preventing the JSON file from being read by an attacker)?
Can I do anything to prevent the attacker getting the private key with a reasonable time?
Is separating the secret key into a file a good idea? I think it may not be, as it's very easy to see where the secret key is stored vs find it in a variable inside the compiled DLL (which is easy to look into, but you got to decompile C# first and may be obfuscated).
I understand that storing a secret key on the application is a common need. Is there a common solution to this that I'm missing?

Edit

This has been marked as duplicate of a question that is very specific on flash and client to server communication. This questions is not about protecting the source code, but the private key used on the HMAC. If that is exposed somewhere that's not the source code, I don't care about the code.

If it's exposed on the code, I'd like to minimize so a relatively big amount of time is needed to decrypt it, but I understand that all data is probably going to be in the code anyway, so we cannot prevent it, but make the attacker's life harder.

Thanks!

Uploading a replay is the only approach that I'd consider reasonably secure. — CodesInChaos, Oct 12 '15 at 11:58
What do you mean by "uploading a replay"? We're talking about an external service that may not have what you ask for. — Xavier Arias Botargues, Oct 13 '15 at 11:51
I do not believe this a duplicate, this question has a much more specific context. As such my answer: I assume you are talking about an only client side game as in any multiplayer the server should send this data directly to the leaderboards server. In a client side game you will always have the possibility of people getting the encryption key and thus faking results, this will result in you having to manually filter some results. A solution to this is to have an account system and sending each client his own encryption key, this makes it easy to ban users that abuse the system. — Selenog, Oct 13 '15 at 12:32
Yes, we may ban clients by their ID, it's unique & based on another exterior system; they'll loose track of other stuff, like achievements, so that should keep them from doing it again. — Xavier Arias Botargues, Oct 13 '15 at 14:48