Token Binding protects against more than just endpoint compromise. It protects against users who copy and paste their cookies somewhere (possibly due to phishing, or due to just debugging why a request is failing). It protects against webservers that log cookies, and those logs leak or are disclosed wider than they should be. It sometimes provides protection against https MITM (via stolen or mississued https certs/private keys). It provides protection against other types of cookie leakage, for example Cloudbleed.