This is a tough question. I'm going to start with two alternate options you should consider first (2FA and short sessions) and then get into hardware identification later in my answer.
A different option would be to use the unique device as part of two-factor authentication (2FA). Use a phone number and send a SMS message containing some random digits to their phone whenever a login occurs (e.g. Twilio is a decent service for doing this, but can get rather pricey if you send many SMS messages). That allows someone to login from any device of their choosing but they have to have the device in question in their possession. To limit the login to a single floating device, you can set it up so only session is allowed at one time for a single account. That way, if someone else manages to login (very hard), the other device gets kicked out. Tying the account to a company-issued phone and using SMS means that the device is almost certainly in the possession of the person at the time of login.
Another option is to integrate your login system with a YubiKey or other hardware key that implements the U2FA or FIDO2 protocols. Supporting these devices requires browser support either directly or through extensions. The keys are also kind of pricey.
Sending a 2FA code via email and using Google Authenticator (an app) are two additional 2FA options that don't require spending money. I implement both of these in the open source CubicleSoft Single Sign-On (SSO) software:
https://github.com/cubiclesoft/sso-server
I also recommend using a short session timeout (e.g. a 5 minute floating window). As long as the browser tab is open, send a periodic heartbeat to the server to keep the session alive (or don't and require interaction to keep the session alive - it depends on the application). Once all tabs are closed, the session terminates, which requires the user to login again. The SSO server product above also supports short session management out of the box. Combining a 2FA mechanism with short sessions mitigates multiple users logging into a single account on multiple devices.
Hardware fails and people purchase new hardware when new, shiny things come out. Tying authentication to a specific piece of hardware is liable to cause real headaches down the road when the user has to switch devices.
However, if you REALLY want to tie the login to a single device, you should look in the general direction of "web browser fingerprinting". The ad serving and analytics industries are constantly looking for ways to do what you describe so they can accurately track a person as they travel around the web without relying on browser cookies so that the tracking information persists even if cookies/localStorage are deleted.
This website mentions and demonstrates several techniques:
https://browserleaks.com/
Another option would be to use attached hardware device IDs:
http://cubicspot.blogspot.com/2019/01/hardware-fingerprinting-with-web-browser.html
Phones and tablets almost always have a camera attached. Laptops generally do too. Desktop PCs might not.
However, if you rely on just that or any other particular API, it is something that will likely change/break in the future.
Caveat: Doing anything that uniquely identifies a device or user without their express permission is a possible violation of GDPR and/or the California Consumer Privacy Act of 2018. Your employer should consult a lawyer if they conduct business in the EU or California and will use your login system with users in those locales.
