Well, only you and the support can answer the question where is your private key.
See, i have no knowledge for USB/Hardware Token per se, but i know and read RFCs, in fact all code signing certificate (per standard) issued by a CSR (Code Signing Request), this happen either manually or automatically, manually when you build your CSR while the private key stay on device, or automatically, by software you are running like a Browser (namely Internet Explorer, Edge or FireFox to my knowledge only these are supported and capable), the difference is Edge and Internet Explorer (using applet or whatsoever) will generate the key and import it to your OS store and never send it with the CSR, the issuer will generate the certificate (that include your public key from the pair auto generated) from the CSR and sign it, while FireFox will do the same only will save it to its Store !, FireFox has its own store.

You didn't give any more detail, how and using what did you download your certificates, did you use some specified browser as per their request (almost all providers ask for that),... do you have a cabinet or account ? When and Where your CSR had being generated and stored ?...
There is many questions here, and the strange thing i can't find a nice, helpful and detailed resources on the internet explain this matter , may be there is and someone can point it.

As for the latest modification to lock all of these to Hardware Token, i don't have knowledge on how and where CSR (with private key generated) as if they are being sent with already flashed key then the whole thing is farce and circus, and will collapse sooner or later (yes this is a prophecy by me), this must not be the case nor how security should be implemented.

As Sebastian said, their support is your best answer, most likely you are not sure, and they should revoke this certificate and issue new one, and (in theory) their utility should be communicate with their servers and issue a new one, where they (as they will might say) the private key didn't leave you device (PC/token/USB), but who knows and who can tell ?!! yet again this is in theory and my imagination on how it should be done, if it can't be done remotely then either they will ask you send the token back or issue new one for you,
Yet again, you didn't even mention if you have a hardware token, or you ordered and completed the request, then may be they issued the certificate, sent it you in anticipation for the USB/Token to be delivered by mail (shipping i mean) ...

So many questions and so many variables, so sorry ....

So, zusammen mit dem DigiCert Support habe ich das Signieren jetzt über den DigiCert KeyLocker hinbekommen. Ist aber schon eine Wissenschaft für sich.