If anyone is interested in a solution, I did the following that works.

First, I created a column in the User table called SingleUserToken. Whenever a user logs in, that field is updated to a random, size 16, string. At the same time, the same string is entered as part of the user's session under the SingleUserToken key.

I then created a middleware that runs on every request and protected route. The middleware simple verifies that the SingleUserToken value in the session matches the one in the database table. If they do not, the user is signed out.

This works because if the same credentials are used to log into a service, the SingleUserToken value on the database will change but the session value for the first user that is logged in will stay the same and thus not match on the next request, logging the user out and thus ensuring that only one user per user name/id/whatever can be logged in at a time.