@mjg59 My favorite idea is a variant of chrome's device-bound credentials, but also binding the individual cookies to the IP or prefix they were issued to (/64 in the case of v6) such that you must refresh the cookie (thus hitting the asymmetric crypto) when you change networks.
About the only thing that would break that is certain types of CGNAT or NAT64 AFAIK (ones where pool IPs aren't "sticky" for any given client, so a client can get different v4 addresses for every connection)