User identification

How to safely send a user's fingerprint from the client so that it cannot be faked?

We authorize the user with a randomly generated key, which is stored in cookies. I would like to make it so that an attacker who stole the key from the cookie could not use it. So far, it only came to mind to take the IP and User-Agent, and if they change, then the user should reset the key and offer to re-login to the account.
In modern botnets, bots can act as proxies, and the user-agent can be stolen by a stealer.
Since most of the attacks are massive, and not targeted, it means that accounts are checked after the collection process. This time may allow us to take certain actions for the security of the account - this is a key change after a short time. For example, every 1-2 minutes. Or every 30 seconds.
But the problem still remains unresolved, since the attack may be on a specific user. An attacker, knowing how authentication goes through, steals data in 10 seconds and manages to use it in another 10 seconds. And that's it. In the bag.
For such a case, I have nothing to keep the user's account safe.
The only thing I found on the net is the FingerPrint.js library.
The bottom line is that when we authenticate a user, we take his fingerprint and enter it into the database.
But that's bad luck) An attacker knowing that sending some line with data will sniff this line using malware. Or inject your js script into the page code
And that's it. Bingo. Instead of his fingerprint, the attacker sends the victim's fingerprint along with the request to the server, simply replacing the POST request and stealing the data.
Dear connoisseurs. I have a question. How to protect the user?