Any part of the system can be spoofed; virtual machines exist. In addition, once you have a session token, you don't even need to involve a browser, you can just make requests to the server directly.
From the perspective of a browser, it seems like a better mitigation would be to make it harder to steal these tokens in the first place. Cookies have to be persisted to disk in order to survive browser restarts, but maybe some cookies could be identified as password-equivalents and get stored in the system's keyring.
And of course, from the perspective of a server, they could probably be more credulous when they see a session token trying to make account management actions from a new IP.
From the perspective of a browser, it seems like a better mitigation would be to make it harder to steal these tokens in the first place. Cookies have to be persisted to disk in order to survive browser restarts, but maybe some cookies could be identified as password-equivalents and get stored in the system's keyring.
And of course, from the perspective of a server, they could probably be more credulous when they see a session token trying to make account management actions from a new IP.