It's not a big problem because tokens lock themselves after 3 tries so even if someone got your token they'd have to guess it. Having separate subkeys for each token is nice but works best only with the signature subkey. For encryption it doesn't work as GnuPG encrypts only to one subkey. The same with authentication subkey: it doesn't matter if you revoke it because SSH doesn't understand OpenPGP revocations.
