Comment by mschuster91

No. A bearer token (which almost all credentials are) doesn't say anything about the device that is using it.

The sole exception are tokens tied to a device's HSM (TPM, Secure Enclave, TrustZone, ...) - you can't clone these onto another device.

ETA: to expand a bit... passwords, SSL client certificates, JWTs, tokens generated after a SAML assertion, they are all fungible bearer tokens. A server has no way of verifying if what is presented to him is originating as an intentional act of a user, or if a malicious third party has duplicated the token somehow and is using it from somewhere else. An attacker can act just the same as the user themselves can. A HSM-backed token, i.e. having the server send a preflight challenge value, and the client HSM signing that challenge together with the token to send back with the actual request, at least proves that the request originated from the device expected to be in control of the user. However, such a scheme comes at a high cost - the user needs to be in possession of a capable device, the HSM needs to be secure, and doing preflight requests to obtain the challenge adds considerable latency.