What is Android’s authorization model?

That would depend on what you think an “authorization model” is and in what context you are asking in. APKs have no “authorization model” by themselves, any more than do text files, bars of soap, bricks, golf balls, etc.

If by “authorization model” you mean “how can I validate that the app was obtained from the Android Market”, you can use the License Verification Library (LVL) for that. However, this would not appear to be relevant in your use case (“an industrial application which is installed and shipped on Android devices”).

How do I write my app to run on just the device we install it on?

Prevent users of the device from running anything else, by rolling your own custom firmware, making your app be the home screen, remove unnecessary additional apps from the firmware, etc. This may limit the utility of your devices, will not work if you are trying to make your app available to arbitrary devices, etc.

Or, cook up your own license management scheme akin to the LVL, and hope that nobody interested in pirating the app has enough skills to reverse engineer your code and snip out the license management stuff. Depending upon your customer base, you may have reasonable luck with this approach. This is not significantly different than traditional enterprise software with license keys and the like. Hence, it is entirely possible that firms who make license management stuff for desktop apps have commercial Android solutions available for license.

The “license management scheme” could be as simple as “burn the MAC address of the WiFi NIC in the APK file and compare it at runtime”, though, again, this sort of protection is vulnerable to being reverse-engineered and excised.