I faced the same issue last year and it turned out to be the token offset that was the issue. The problem seemed to be this offset value was going really high for some tokens, meaning the could be used outside the normal last, current and next behaviour. This mostly seemed to happen to soft token, as it appears when a soft token is unassigned and goes back into the token pool, it retains it's offset value, so when a new user gets that used token it can cause issues.
The article https://community.rsa.com/t5/rsa-securid-access-knowledge/how-to-synchronize-rsa-securid-tokens-in-rsa-authentication/ta-p/2898 explains how to use the rsautil sync-tokens tool to list the offset value of the tokens, so you can see if that is the problem. You can also use this tool to reset the offset, which is also explained in this article, if that is the issue.
There are some cases where some user may need this offset to work, like if the time is off on their phone. This article https://community.rsa.com/t5/rsa-securid-access-knowledge/explanation-of-next-tokencode-mode-and-small-medium-and-large/ta-p/1444 gives a good explanation of the different time windows token can have due to different situations. What I did was to reset all the token offsets but then rebooted the servers to make them have the large window, so that the tokens that needed a larger offset would still work, while the other token would not be affected.
