I guess this is what Heroku was pushing for [1] when client tokens were leaked. They wanted GitHub to adopt RFC 8075 [2], that combines mutual TLS auth with the tokens, so that the tokens can only be used by authorized clients, not just anyone that had possession of the tokens.

[1] https://blog.heroku.com/april-2022-incident-review

[2] https://datatracker.ietf.org/doc/html/rfc8705