now I managed it to do the signing without extracting the certificate:
signtool.exe sign /tr http://rfc3161timestamp.globalsign.com/advanced /td SHA256 /n "CodeSignTest" test.exe
Now I only have to solve how to automate the pin request. Other tokens have the option “single sign on”, so you only have to enter the pin one time, until it is unplugged.
Is there something like that available here too?