This, of course, is not an answer - but password-protect tokens and distribute passwords to current booms?)

Disable through local policies or GPO access to usb devices for everyone except the necessary accounts / groups

It is normal practice to create a virtual machine only for bukhs and let them carry tokens with them

If the usb token is a flash drive with files (and most likely it is, but I have seen strange options for a long time), then you can resolve it through file permissions by formatting the flash drives under ntfs and setting the access rights to the root directory only for a group of accountants

And what kind of tokens are they and can they be forwarded through the RDP / network
In general, only licensed HASPs should be inserted into the server for good? And
all bank / tax digital signatures are now equated by law with a real paper signature of a person (accountant)
, or something else. And tell users to insert a token only when they need to sign something. Otherwise, anyone can sign their signature, and they will answer in any case

forward tokens via rdp from the workplace of boo

Worst idea to leave a token unattended even on a super isolated server