Is User Agent + IP check enough to authorize the use of a hash+endpoint in an API?

Question

Situation

I'm making an API from scratch, and security is a big problem for me when thinking about APIs (especially REST-APIs). I'm using a method similar to JWT (hashing data like 'issued_at', 'expiration_at' and user-info (email, userid) into a single hash string with salt when the login was successfull, and give it to the user, but not exactly like it), and every time a user wants to access anything beyond the login endpoint, I'm checking the provided token (hash) if it is still valid or not.

My question:

I want to check more things than the validity of the hash, because if some hackers steal someone's hash and use it before it expires, they can do things unauthorized (even when the hashes expire after 5 minutes by default). I was thinking about hashing the IP and the User-Agent string of the HTTP request along with the other details said previously when the login was successfull and I generate the hash, and checking it every time if the requesting UA+IP and the hashed UA+IP are the same. (so when someone tries to use the hash from another IP or UA, I can assume it was stolen, so I can invalidate it and request the requester to log in again). Is it a good thing to do, or in other words, does it really adds another layer of security to the whole authorization/authentication? (of course, the main security layer stays the same, the validity of the hash itself. But would this thing make it any safer?)

Disclaimer

I know that a lot of other types and methods of authorization exists, but I don't need answers like "use xyz's method, oauth2, its safer", but answers that really give me an explanation about the dos and don'ts, strictly about the UA and IP address. I want to make my own authorization (at least the concept), to learn more about these things. Thank you in advance!