Don't you think people will inevitably crack the software side of things (as has been done with the lower levels of Widevine)?
The end game is probably integration with a TPM that produces the token, or at least whatever part of it verifies that the chrome binary is genuine and that there is no forbidden software running on the client machine.
