PATs give exactly the same control. You could trivially require a PAT on the first page load, before the browser gets to receive any of the content. And header-based protocol can always be converted to a JS-driven protocol just by having the requests be issued from JS.
Content-binding is a necessity for the actual intended use case of these protocols (abuse prevention), but useless for the thing people are afraid of (DRM for the web).