I personally use Certum code sign certificate, but this year I changed it to smart card type.
The private key is only stored on the smart card, the security is good, but it is scary and inconvenient …
To code sign, you need to insert the smart card where the private key is stored.
I purchased the following.
It is cheaper to use than Certum.
Manhattan Products USB Smart Card Reader
PIVKey C910 PKI Smart Card