Couple things that can start to help with this situation:
Token Binding + client TLS certs
You store the private keys for the client TLS cert in your TPM, then you can indicate the TLS cert fingerprint in the JWT. The server validating the JWT ensures that the fingerprint in the token matches the TLS remote side certificate fingerprint. This gets part of what you are asking about.
OAuth Proof of Possession
Similar concept, as part of the JWT validation, you can require that the sender prove they have possession of a specific private key.
Token Binding/Proof of Possession
Couple things that can start to help with this situation:
Token Binding + client TLS certs You store the private keys for the client TLS cert in your TPM, then you can indicate the TLS cert fingerprint in the JWT. The server validating the JWT ensures that the fingerprint in the token matches the TLS remote side certificate fingerprint. This gets part of what you are asking about.
OAuth Proof of Possession Similar concept, as part of the JWT validation, you can require that the sender prove they have possession of a specific private key.