For most KYC verifications just a picture of an ID card is not enough. Identity authority KYC process shouldn't allow that IDs from a data breach to pass verification.

Same ID also cannot be registered more than once at the same identity authority.

Identity authority doesn't provide tokens, but signs (nonce + requested age data) requests that user gets from a service he's trying to access. User needs to be logged in to do that.

If user shares identity authority credentials, that would show in suspicious auth pattern (e.g. accessing from multiple locations at the same time) to identity authority and account should be blocked and require the whole KYC process again.

There is an issue of someone with stolen ID registering at identity authority where true owner of ID hasn't registered and passing KYC process. This could me mitigated by, for example, limiting at which identity authorities a citizen of a specific country can register, limiting the number of concurrent registrations at identity authorities concurrently (for example an ID can be registered at max one identity authority globally at a time. You would need to close account at current identity authority to open it at another) and/or stricter KYC verification (like in person).

Again, even if someone succeeds in registering with stolen ID, sharing of the credentials still needs to be limited in order to avoid getting blocked.

In short, it all depends on identity authorities doing a good job at KYC verifications process.