Re: Here's a major FACVM Gotcha to watch out for.
sorry, I assumed, wrongly, that when you have converted HW to VM unit (and got new serial number for that VM unit), that someone from Fortinet support (who made conversion) also handled tokens. Mobile tokens are bond to license and license is always bond to serial number of the unit where it was activated. Other units are unable to use same license. And that applies also to FortiToken Mobile. During any change like token assignment, FAC/FGT unit tells FortiGuard (that directregistration server) that certain token was assigned and someone will come from mobile device to pick it. Operation is protected by that activation code and unit which is trying to place such info to FortiGuard needs to be authorized to manipulate with mentioned token and it's validated via license check process.
As your VM did not had moved license from HW unit at the time, license validation was the failing part not allowing you to manipulate with those tokens.
The LDAP is another story and I believe TAC engineers will handle that.
PS: unit conversion is not usual process.
PS/2: There were FortiToken self-reset possibility on support site, primarily focused on RMA cases. And I'm not sure if it was from Mobile tokens as well, because the license reassignment is something not even TAC can do on their own.