How to understand a token is an exchange result

I have a client exchanging a token from a source client/domain for a new token targeted to a target client/realm.

How can I differentiate this token generated from the exchange from a token the user obtains by executing a login to the target realm?

Otherwise can I prevent the user from logging in the target domain and thus allowing to obtain a token only through the exchange?