Currently backup contains the password that is enough to setup unlimited number of devices. There is no way to control the number of devices that access the account because all devices share the same password and the same key.
To control the number of devices that are logged in, each device should have its own access token that is periodically rotated without sharing the new token to other devices.
OAuth can be used to issue per-device tokens that have to be renewed and cannot be used on multiple devices. There is a draft specification that tries to standardize usage of OAuth with mail clients without registering Client ID in advance: mAuth - OAuth2 profile for mail apps and other public clients
I am not sure OAuth actually solves the problem. E.g. if user currently logs into Gmail with Delta Chat on Android and then shares backup to Desktop, will Gmail prevent both devices from working?
Implementing OAuth in chatmail may also be not easy, I would prefer some simpler solution.
Another way to limit the damage would be to have key rotation via Autocrypt Setup Message:
If user rotates the key and has to manually enter the code on all the devices, unauthorized devices unknown to the user will be excluded from encryption, but not from accessing IMAP folders and sending messages.
There is a related topic about discovering when user logs in on a second device without transferring the key: