We are still setting the instances up so we aren't at the stage yet to be able to register any hardware keys.

Yes, we have a requirement for using the hardware keys.

The problem is that our on-prem instance will not have access to the internet, so we will need to figure out another way to complete the authentication process using the Relying Party if SN utilizes a 3rd party Relying Party.