When a user leaves and their hardware token is to be reassigned, how should this be handled in the SurePassID portal?

Best practice is to disable the token and unassign it from the user who left the company, instead of deleting the tokens. You can then assign the token to a new user and reenable it or set it to "new" and have the new user activate the token via the self-service portal, if you are using that feature.