Tiny bit more clarification ... FortiToken Mobile tokens are bonded to packs .. licenses (min. qty. 5 AFAIK).

Those licenses are then activated from a single device or cluster, and since then bonded to the serial number of device (like FortiGate/FortiAuthenticator) or master of the cluster. Cluster is specific scenario and sort of exception to general licensing model in Forti*.

Because tokens need to be shared across the cluster, therefore cluster master will tell FortiGuard who are cluster members. Because any token management action like assignment to user is authorized through FortiGuard (which is also used as mediator between FortiGate/FortiAuthenticator unit and mobile devices bearing FortiToken Mobile App), then FortiGuard needs to know who is eligible to make admin changes and manage token assignments.

Therefore tokens can be moved by those license packs, and whole packs only, by moving license between units.

Licenses can be stacked.

Therefore if you do have 10 times 10-tokens pack/license (100 in total).

And want to move just some of those.

Then you can move a single 10 tokens pack.

Unfortunately you are not free to move any tokens but all those has to be from same pack/license.

GUI or CLI will tell you license number for every individual token (for example):

<code> C3 # show user fortitoken config user fortitoken    edit "FTKMOB121D29EDD2"    set license "FTMTRIAL090E76B9" next    edit "FTKMOB12CE85AB07"    set license "FTMTRIAL090E76B9" next end

</code>

However, as you mentioned you are going to move those tokens to FortiAuthenticator.  Then how about to move them all? With users. And set your FortiGate to use that FortiAuthenticator, let's say as RADIUS server and so set RADIUS Client and policy on that FortiAuthenticator to handle the tokens from that central point.

Because this is another way how to split FortiToken Mobile license, even one by one. Simply by putting all the tokens to a FortiAuthenticator and then assigning tokens to separate users, which could then be split across multiple RADIUS Clients, like FortiGates (or even 3rd party if those are capable of handling standard RADIUS Access-Challenge handshake), so you can have 3 users/admins on one FortiGate, 7 others somewhere else .. no matter if those are from the very same 10 tokens pack, because they are on FortiAuthenticator as single device and split later by config, not affected by license-on-single-point model.

Thank you @xsilver_FTNT for the great explanation on this topic. Is it the same for physical tokens? Can they also not be split up like you mentioned above for mobile tokens? 

Thank you @xsilver_FTNT for the great explanation on this topic. Is it the same for hardware tokens? Not being able to be split up?