Changing scope of token or need something like AD on behalf flow

I have requirement where I am getting one token from the Authorization Server - Auth 0 which is used to authenticate both the api and the device


If my device get compromised then with the token the attacker can invoke the api .
Is there anyway I can restrict the token to only access the device or only access the api .
I want Auth 0 to issue a token specific to api and token specific to device.
Is there any feature that can help here ?