> e.g. the service is generally still aware of what services the user is using that require verification
How? The token isn't specific to any user or service. The only information the ID provider gets is that you requested the token and the only thing the service verifying your age gets is the same token shared by everyone over 18.
There isn't any good way of making it hard for someone to share the codes unless you're going to set up an Orwellian panopticon that tracks where everybody is using them, and since that is totally unacceptable and half measures are uselessly ineffective, it's reasonable to just accept that codes are going to be shared.
How? The token isn't specific to any user or service. The only information the ID provider gets is that you requested the token and the only thing the service verifying your age gets is the same token shared by everyone over 18.