This is possible - but managing the HSM is a bit annoying as some docs are relatively bad.

Amazon has some docs on how to do this with e.g. SignTool: https://docs.aws.amazon.com/cloudhsm/latest/userguide/signtool-sdk3.html

Some notes:

1. You can't reuse the certificate on the Hardware Token - you will have to request a new one with the key generated on the HSM.
2. The CloudHSM is relatively expensive - if you have it online 24/7 it costs ~ 1.5k€ per month (But you could stop and start it when required to save money)

What I learned during setting this up for where I work:

1. The version of CloudHSM SDK is quite important

• We use the Client SDK3 because only it (at least 1 year ago) supplied the "Cryptographic Service Provider" which signtool would use.

2. While it's cleaner to use a seperate HSM user to own and another user to use the certificate - it's really annoying to set up.