I'm afraid not. That's actually nearly impossible to do. The token is sort of tied to your device, but the identifier of the device is actually part of the session information, in a sense. So if stolen, the device identity is stolen along with it.I'd like to think they've implemented some measures to tie the stored token to the device in order to prevent unauthorized replay.
You need to be aware of this: AnyStream uses the Chromium Embedded Framework (CEF) as core for its browser. It behaves nearly the same way as Chrome.
The session information is stored in an sqlite database on your hard drive (in both cases, Chrome and AnyStream, the exact same way, but in different locations).
Edge is also based on Chromium, so the same holds true.
The data is encrypted, but it can be decrypted. That's what AnyStream does, if you instruct it to "adopt" session info from your browser, but it only does that, if you instruct it to.
Firefox also stores the session information in a similar way, but doesn't bother to encrypt (imo that's totally fine, the encryption just gives you a false sense of security).
So, in theory, malware could simply fetch the session info from your disk and it can be used elsewhere. I don't know whether or how well it can be used to buy stuff from Amazon. Amazon will require additional authentication when something is bought and delivered to a new address, so that's not likely to happen. Other things, like software licenses, will be delivered to your e-mail address.
But it can be used to watch prime movies (and, I guess, pay for them until you notice).
Note, that malware is not likely to access AnyStream's storage ("AnyStream? Who?"), but rather your browser's.
The only way to be fairly safe would be to always run browser's "privacy mode" and log in every time (and endure to be spammed with "a new device was detected" e-mails). The session data, then, normally will reside in memory and be gone after closing.