It's probably due to my Swiss mountain mule genetics that I stared at web.config, parameter.xml, and setparameters.xml files, VSTS Release variables, and the pipeline for hours. Guess the context switching between the proof-of-concept, taking my son to airport, and having sleepless nights over the vulnerability scanning investigations did not help either.
Use the type command to dump your configuration to your release logs before and after tokenization.
Dump your pre- and post-tokenised files
Add to Command Line tasks to your pipeline. One before and one after the Replace Tokens task. In both cases type your configuration file to log its state before and after the tokenisation.
Analyse the log
Review your release log. As shown, we have a crisp dump of the configuration file. Once I had a visual of the before and after. Within seconds I had an aha moment. A minor one-character typo :(
It's that simple.