Yes it would definitely make sense and there is a proposition about this (Origin Bound cookies).
SameSite=Strict & Lax are a very good protection against CSRF but hacked subdomains remain a way to attack – for example, hacked.example.com can forge credentialed requests to example.com easily.
Fot this, you can actually use the
__Host- cookie prefix. On browsers with support for cookie prefixes, it is not possible to set them across domains: this way your are sure that the cookie actually comes from example.com and not hacked.example.com.
However, there is currently no way to bind a cookie to a (domain, port) pair. As I’m discussing on a bug entry, this is especially problematic for localhost-bound non-HTTPS web server: another local user can exfiltrate your cookies by spawning a local server on another port and tricking you into browser to this web server.