This list lacks the most obvious one: enable (and ideally enforce) SCRAM-xxxxx-PLUS as the authentication method of choice.
The idea of the PLUS variant is both simple and effective: instead of verifying <user,password> with the help of a salt you are verify <user,password,tls session key>.
That way the authenticating is only valid on a single TLS connection.
This is also called channel binding.