is it possible to restrict a token to one device so that someone cannot copy the token and use it on another device?
At this time, the issued access tokens are considered bearer tokens which means that any entity that has access to the token (the bearer) can perform requests using that access token for as long as the access token remains valid. There is an OAuth draft about token binding that would address your requirements, but at this time it is not supported or even widely used.