Because those solutions always have obvious flaws. If the cryptographic token is anonymous, how do you know the user verifying is the same one who generated the token? How do you know the same cryptographic key isn't verifying several accounts belonging to other people?

They are one time use by definition. You can't know they are used by respectful owner, but the idea is you have to provide a new token every few weeks/months. Much like when using other services nowadays, I mean even Gmail will have you authorize every few months even if you didn't log out. Plus you fine/prosecute those who sell/misuse theirs. Just like you prosecute adults who buy kids alcohol or other substances.

Obvious flaws are OK. I absolutely hate the Nirvana fallacy that you people think is acceptable here, while hundreds of millions of kids suffer from serious developmental issues, as reported left and right by all kinds of organizations and governments themselves.