The best solution here would be to use entity management.
You can create an entity type of Session or similar.
Each time you have a user log in, you can create a Session and set the .data.session_identifier field to the value of the device fingerprint + business specific indicator, and store the access token as the value.
When you are trying to find whether a user has a valid session, you can use the Entity search APIs to find that key and get back the value. Or, if the value doesn't exist, the user has no valid session.
For expiration, you can use the access tokens exp claim (which means anything consuming it will have to check that, which it should anyway). You could also manage additional expiration metadata in the .data field if you needed different logic (you have 5 hour access on weekdays, 10 hours of access on weekends or something similar).
Note that you should be vary aware of the security implications of this scheme (for example, that the device fingerprinting is unique and that the access token is narrowly scoped enough that if it is somehow obtained by an attacker it can't be used to damage the system)