Disallow login by role or rule

Problem/Motivation

In a decoupled Drupal backend/OAUTH server might have different parties and devices authenticating (E.g. Mobile app, webapp, Chatbot, API, browser, etc.). The correct OAUTH way is to configure a consumer for each party and roles as scopes for consumers.

But how to disallow authentication from party/device that uses different consumer? And take action.

An action could be logging the authentication, disallow the login, send email, or send HTTP response back. Meaning the user registered with consumer X, can't use a consumer Y, and if they do, we take action.

Example:
If a user have a role X, they are not allowed to authenticate using consumer Y. Meaning, when registering using a mobile app (the device/party) using consumer named "mobile123" they get a "mobile_app" role. Now they have a valid Drupal user and they can authenticate using any consumer and device that can have unexpected consequences.

What I try to achieve:
By registering a user receives a role X and a valid tokens. Afterwards they are only allowed to authenticate using that same consumer, and are not allowed login using other consumers with a role Y.

The secondary motive is security, because of privilege escalation or access bypass vulnerability. In case of an attack the user would require tokens using a consumer X and try to login using different parties and analyze the responses.

One could think this as OAUTH hardening like a Drupal's allowedOrigins or HTTP Access-Control-Allow-Origin header. This would also allow getting statistics about what kind of devices are used to login, how much and which consumer is used.

Because the "Drupal way" would be using roles per consumer, but those are reserved to be used as scopes.

Finally the question:
What is the correct way to implement login restrictions?
Is there a hook to take action before responding (giving out tokens)?