You could set the Active Sessions value to 1 which would only allow 1 MAC address to connect.
In addition, upon successful authentication you could write an attribute to the Endpoint entry which identified the device (this would be better if the device has been profiled - add the Clearpass as a DHCP helper). This would be completed under a custom Enforcement profile.
You would then amend the service to check that if the device exists in the Endpoint database, the specific attribute matches otherwise invoke the Deny Access Profile. This would provide only allow 1 MAC address to connect and if this was spoofed then the device type details would have to match as well.
I have done similar checks before but not this specific use. Test in a lab if you get chance.