This use case will be made possible by 3rd party tokens.

Context

A service delivers a token to a principal, but this token is not usable as is; it requires an identity proof making sure that the holder is the intended one. This mitigates token theft, as the token requires an extra proof to be accepted. For instance, this proof could be provided by a hardware token or a smart card

Example

The token is delivered to principal A. A can prove their identity through the keypair pkA/skA.

Token

right("resource"); // this token grants access to the resource `resource`
check if user("A") trusting {pkA}; 

As it is, this token cannot be used, as the check cannot be fulfilled.

The only possible way to make this token valid is to append a third party block, signed by skA, containing the fact user("A").
The intended flow is that A adds it right before sending the query, with a very short TTL (a couple seconds), or with checks
that tie the 3rd party block to the request that's being sent.

user("A");
check if time($time), $time < {now + 30 seconds};
check if /* conditions tying the block to the request */

sequenceDiagram
    Token Emitter->>A: Token with identity check
    A-->>A: Appends Third-Party Block
    A->>Service: Presents Token with identity proof appended