[mooreds]

> It would be great if OAuth could include some form of cryptographic attestation

This is, as they say, a "known issue". Bearer tokens were defined in RFC 6750 and the thought was that more types of tokens would follow, including some that bound tokens and clients.

It took a while.

RFC 8705, mentioned elsewhere in thread, is one approach.

Another is DPoP, which was discussed at Identiverse in 2022. Here's a presentation about the approach: https://www.youtube.com/watch?v=cot40RRoPsc

Here's the current draft: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-... (not sure how close they are to finishing, haven't see much activity on the mailing list about it lately, though).