User identification

Client Program Identification

Good day. Now I am designing a client-server application for collecting data from client machines. The client is written in C, open source, downloading a binary assembly is possible from a personal account on the site. To identify the client program, it is planned to use a certain token - a random number, about 10 bytes, which is embedded in the program code immediately before uploading to the site. That is, the fact of downloading this instance binds the token to the client's account. The client part itself is useless, but with this identification scheme, it is possible to carry out banal sabotage - by launching an instance of the program, with a selected token, on a host that is not related to the customer, while it will send its information, as a result, on the server instead of useful statistics, you get information garbage. As an option, protection can be strengthened by a second token transferred at the stage of installing the client part, for example, a mac-address. But I don’t like something in this scheme, something on an intuitive level - I just haven’t realized yet what a rake this can turn out to be. Please critique this identification scheme.