Precisely. You can use and old-style hardware token that only generates numbers to log in, but not to authorize an operation such as a money transfer.

The requirement is called "dynamic linking" (the 2FA code must be tied to the specific transaction) and the relevant regulation is PSD2.

There are "simple" hardware tokens that allow for that - you have to enter the amount and part of the destination IBAN and they generate a 2FA number based on that + probably the same number generator it uses for logins.