to replicate the payment card, you would need to sign the transaction with the card itself. Currently, one can do MITM attack copying the token and then spend all your coins.
btw. How did you envision the vault? Does it run inside the TEE or how would you assure security of the token? You could also pick a confidential blockchain like Oasis Sapphire and do the decryption there on-chain with a read-only query.
ntag-424 cards can generate keys, so on each tap yeu get a new key. you could set it up in a way that each tap has a limit, so only a certain amount can be stolen with each tap
ok, but how does the vault trust that the key was generated on the card and wasn't forged outside? Is it signed with the public key you publish somewhere?
if you are interested in how it works in detail, check out the spec for bolt card
https://github.com/Amperstrand/boltcard/blob/main/docs/SPEC.md
not sure if this is the official one, but you'll find it i'm sure
