Are there any forms of "Sender Constraint" when issuing credentials with "AssumeRoleWithWebIdentity"?

Suppose I have a generic OIDC provider that mints ID Tokens and I pass one to AWS (through an AWS OIDC Provider and connecting something like a Cognito Identity Pool) to receive STS credentials in return.

When those credentials expire, I do it again and get new credentials.

Suppose I'm dumb, have an insecure app, or have dumb users falling for phishing scams and leaking out their OIDC ID Token. Are there any measures in place/possible to implement that prevents someone else from getting STS credentials using that same token? (i.e. MTLS, DPoP)