How it is implemented in one of my services. During authorization, a token is created, which is then sent with all requests from the user. As soon as another authorization is made from this account, a new token is created, and all previous ones are reset to zero, and requests with this token begin to return a 403 error.

Just logout if a login from another device is fixed.

The logged in user must “lock” the account for himself, not allowing additional logins under the same account.
How to distinguish "this" visit from "others". Definitely not by IP, because the user may be mobile. By "browser fingerprint" or by a set of cookies.
At the next request, mutate the cookie so that copying cookies to another device does not help. Something like CSRF tokens to use with every request.
In the event of a user leaving, provide a timeout, after which any login to this account is allowed.

You need forevercookies and / or identification by additional parameters, for example https://github.com/Valve/fingerprintjs2
But it's better to solve such things in an administrative way - so you don't need to use one account for several people

by IP, by cookie creation status, by session, by an additional identifier that you can track, within the current user session. Mass options.
I would use an additional field in the database where I would write 1 after authorization.
And at the authorization stage, I would check this field, if there is 1, a bummer, otherwise we authorize.
But this is just an example.

When logging in, store the session_id() in the database. Then you compare the current one with what is written in the database, and if it doesn't match, logout.

$db_session_hash= $db_session_hash ?: get_session_hash($__id);//Хеш "текущей" активной сессии в базе если не получен ранее
      if($db_session_hash!=$_SESSION['auth']['session_hash']){
        unset($_SESSION['auth']);
        add_notification('danger', 'В ваш аккаунт выполнен вход на другом устройстве или браузере.');
      }