CLI security measures

we do run the cli tool in our production environment to access our secrets, we store the token in windows environment variables.

if somebody can hack into the system and takes the token he can basically read all my secrets but also he can everything inside the vault.

so i am wondering, can i protect the cli and the service token more granular?

Question 1: can I say, this token can only read keys from the vault. So no altering of keys or deletion of keys.

Question 2: i do have a ssl-certificate on my server which is also used by the webserver, can i import the certificate somewhere and the cli uses only the public key of the certificate to get access to the vault? In that way I do not need to store anywhere the service token and it will be way harder to mimic the connection to the vault.

Question 3: can I track from which machines/ip's or hosts connections are made from the cli to the 1password backend, if so it would be nice to have something like whitelisting. So I can only give with this service token and the specific ip of my machine access to the vault but only for this machine or ip.