IIRC the new EU spec doesn't actually require using "secure elements" that could limit the user, only says they should be used if present. It shouldn't be hard to find some device where the hardware isn't present or is insecure to extract the keys from.
Or people could just proxy requests to the device, even with a reasonable rate limit in place, one donor could provide access for over a dozen people each day.
Or people could just proxy requests to the device, even with a reasonable rate limit in place, one donor could provide access for over a dozen people each day.