I have managed to digitall sign PDF document using digital certificate on USB token - GEMALTO SafeNet Authentication Client using PKCS#11 library on Mac Mini M1. However, the Safenet Authentication Client should be 10.2 (Post GA R4) having support for Mac OS 11 (Big Sur). There is an issue using non-repudiation certificate as it requires to get the PIN at the time of the signing. In the case you are already logged-in the GEMALTO token an error PKCS#11 0x91 happens. But if you are not yet logged in when you select the non-repudiation certificate Acrobat will prompt you for the PIN and the name of the signed document and the valid non-repudation certificate is generated and inserted in PDF document. However, it is not possible to sign another document i.e. to generate non-repudiation signature immediately after unless you first log-off. Nevertheless, it is possible to use other certificate without logging-off, but NOT non-repudiation.