if the access is paid, then block the user in case of suspicion, and let him prove that he came in.
on the other hand - if he paid for access / content - then formally he can use (view) it as he pleases (from any IP / browsers, etc.)
look on the internet there is a script - which quite accurately determines the user - fingerprintjs2 this one is like

I would do the following.
1. I added a little authorization module on your site. Also checked, whether the user is authorized or not. If authorized, then do not let him in until he logs out of the account.
--Not a great option, but still worth a try.
2. Authorization via SMS. Yes, it can be costly, but it works.
First of all, I would start from the first option.

Are people really different? Or maybe I came from home - this is one SP, I'm going to work in a bus / metro / car, Internet mobile - another SP, I'm sitting at work - the third SP. And the SP dynamics and, as it were, are not always the same. Yes, and the IP can be issued differently. And about the browser ... At home, chrome, in mobile Yandex / native phone, at work firelis / chrome / Yandex / ie (depending on what is open), for example.
By the way, it determines me from the Internet mob in a neighboring city, although it is 500 km away. Here you have 3 people already. This must also be taken into account.
And so it is not clear why you need it. I don't think the content is so valuable to be parsed or copied. Moreover, in addition to your content, there is enough in public.

Firstly, it is worth specifying in the rules for using the service a prohibition to transfer the username and password to other people. Those. upon registration, the person agrees to this.
Notifications: Next, you can send notifications that you have suspicions of violating the rules for using the service. Here you can easily indicate the reason. But you must be sure that it is.
Social networks: Still, as an option, you can make authorization through the social. networks. And if the account is registered on the social. network, then the warehouse is unlikely to give access to it. Although there is an option that the account will be fake.
Sessions: Prohibition of simultaneous sessions, if a new session is authorized, then delete all others.
SMS and sessions:SMS authorization and one active session. If a lot of people sit on the pool, then this will make it difficult to use the service due to the constant need for authorizations.
The maximum number of different connections : determine the type of client: its browser, IP, in general, any trace. And if there are many such sessions (p. sessions) in N time, then this is a chance to send a notification (p. 1).
In general, the first point is the most important, you can think further.

Give access to the site only with 2 active sessions: 1 mobile, 1 PC. Well, you can add another PC session, for example, a working PC. If more is activated, disable the oldest session.