How token binding works is complicated. I don’t know how it works on non-Windows platforms. But this Twitter thread has some good details on the Windows platform token binding. Some key takeaways from that thread:
The obvious: with token binding, you can’t do lateral movement–the token is only good on the computer it is on.
You can further protect the token with Windows 10’s Key Guard, a hypervisor key isolation service
Edge, IE, and the HTTP stack on Windows 10 all support token binding
There are downsides to token binding: No 0-RTT, you can’t share tokens :), and proxies might break/strip your access.
In the near-future, you can add FIDO as an additional layer of protection, which gives you a portable hardware token you can bind your AAD token to, in addition to the client computer binding.