I guess it's a matter of what the IdP attests. It's definitely possible for an IdP like Okta to include a ton of client details as part of the attestation payload. Stuff like GeoIP, client certificate fields, MDM status, etc.
>>xyzzy_+(OP)
Right, but you have to individually set up all of your apps to work with it; the proxy can be mandatory for all apps by dint of network controls.