Force user to remove USB token
You are trying to use a technical tool to solve a social problem. The answer is that cannot fit.
Techniques can provide great security when correctly used, but only user education can allow proper use. I often like the who is responsible for what question. That means that users should know that they will be accountable for anything that could be done with their credentials. It is not enough to prove that they did not do it, they shall prove that they correctly protected their credentials.
The physical analogy can also help. They would not let the key of a physical safe unattended. They should understand that when they are given reasonably secured credentials, they should see it as a physical key and use it the same. But as they are used to their own home computer with no security at all, education is hard and things are to be repeated. Unfortunately, I have never found a better way...
It seems to me that a startup script could check for mounted USBs and block the wifi/network if there is a USB mounted while showing a message.
A simple polling function could check for new USBs connected.
All this is possible in Powershell.
This would solve the problem of having the USBs mounted and would force the user to eject before using the laptop. This does not solve the problem of what the user does with the USB afterward. I can easily imagine users unplugging to start using the laptop, then plugging the USB back in "to store it" once they close the lid.
This might not be the nicest way to do it, and I cannot say that I endorse it, but I have seen it used in practice:
You could have security guards patrol by night, taking any USB key-or-token plugged into a computer with them and filling a security incident. If the next day the users go fetch their USB thingies, they get an official reprimand in person. If they do not, they get a stronger reprimand because they did not notice or report their missing thingy. Make the reprimands reflect badly on their paycheck, or fire the employees with too many reprimands.
If enforced, you can be sure this policy will be very unpopular, but effective.
Edit: You added in a comment that your scenario is for mobile users that are not on premises. I'm afraid my proposal cannot be applied in this case. I will still leave may answer as it might still be useful for others trying to enforce security policies on their premises.