Yes, the token itself most likely won't allow the key to be extracted. There isn't really a reason to allow it: safer to generate the key at manufacturing time.
In general cmvp compatible modules do sometimes allow keys to be exported but only if wrapped, i.e. encrypted to prevent unauthorized disclosure. However this is also explicitly forbidden in other standards, such as qualified signing in Europe (etsi-...)- keys are generated on device and never leave.
What do you do if you lose the token? Ideally you enroll two or three and just use another.
In general cmvp compatible modules do sometimes allow keys to be exported but only if wrapped, i.e. encrypted to prevent unauthorized disclosure. However this is also explicitly forbidden in other standards, such as qualified signing in Europe (etsi-...)- keys are generated on device and never leave.
What do you do if you lose the token? Ideally you enroll two or three and just use another.