Possession protocols — like POAP — exist to answer: which device is operating now, with a registered key, after identity is already established. That complements OAuth; it does not replace it.
Auth21 Perspective
A signing device ≠ a logged-in user
Cryptographic possession is a different layer from identity. Conflating the two creates a false sense of security for critical operations.