Hardware tokens are mandated for EV code signing certificates[1], but not for regular certificates. However, the certificate was from a while ago so that requirement probably wasn't a thing back then.
[1] https://www.digicert.com/signing/code-signing-certificates "REQUIRES TWO-FACTOR AUTHENTICATION USING HARDWARE TOKEN"