You don't even need the token issuer to have government identities, you just need some way of rationing tokens.
Using identities for that is actually somewhat problematic because identity theft is generally pretty easy. The attacker compromises many devices, or a database containing the information of millions of people necessary to impersonate any of them to the token issuer. Then not only does the attacker get a large number of tokens, a large number of people also lose the ability to sign up for the service themselves. It also opens you up to deanonymization attacks if the token issuer and the site collude, or anyone else can compromise or coerce both of them at once.
But there are plenty of other alternatives.
You could ration them based on some other scarce thing, e.g. issue only X number of tokens per public IPv4 address or IPv6 /64 block per year.
You could exchange tokens for a security deposit. A few dollars for a token that can be used for over a decade is a minimal cost to a real user, but a few dollars for a token that lasts 90 seconds before getting banned is a real cost to the spammer.
And you can combine them. One free token per public IPv4 address per month, and if you need more then provide a security deposit.
Using identities for that is actually somewhat problematic because identity theft is generally pretty easy. The attacker compromises many devices, or a database containing the information of millions of people necessary to impersonate any of them to the token issuer. Then not only does the attacker get a large number of tokens, a large number of people also lose the ability to sign up for the service themselves. It also opens you up to deanonymization attacks if the token issuer and the site collude, or anyone else can compromise or coerce both of them at once.
But there are plenty of other alternatives.
You could ration them based on some other scarce thing, e.g. issue only X number of tokens per public IPv4 address or IPv6 /64 block per year.
You could exchange tokens for a security deposit. A few dollars for a token that can be used for over a decade is a minimal cost to a real user, but a few dollars for a token that lasts 90 seconds before getting banned is a real cost to the spammer.
And you can combine them. One free token per public IPv4 address per month, and if you need more then provide a security deposit.