If you've got a rootkit on the machine, an easier way is to simply read out of memory? I presume the key would be in the clear, in memory at some stage.

Lsadump, a tool they mention in the article, does just that for the Windows machine key. The other token input data is protected with that key.

Reading a single token code out of memory from the soft token process while running would certainly work if the targets computer was on and the soft token was in use, but having a completely independent cloned instance gives the attacker a lot more flexibility when impersonating the user.