Every SaaS platform with a reasonably cheap offering deals with these. I work for a recognizable SaaS and there are checks that flag both the accounts and reports the credit cards that are used after a fairly low threshold of "add payment method attempts". High levels of fraud usage hurt your reputation with payment processors and that's bad for business.

It doesn't stop the truly determined ones I'm sure, but it does mean that it adds complexity. You don't need to be impossible to test cards on, you just need to be harder to use than someone else (like a lower resource charity). We've even debated "fake accepting" some payment methods after we're confident it's someone trying to find working credit card numbers to add some false positives into the mix.

Yup. Charitable donations are a way to spend money without it pointing to you and thus a common test for a stolen card.

Definitely an issue. I don't really like the idea of long-term Patreon-eseque relationship between the individual user and the attestor/issuer site, but it could be done. The charitable giving is more of a means-to-and-end than a goal, functioning as a kind of "observed spending" which is harder to fake than, say, buying something from yourself on ebay.

If tokens had to mature for X days before being used that could deter laundering pretty handily, but stopping "tests" of cards would require hiding payment errors from the user for a certain period... which would not be a great experience.

what happens if you don't invalidate them?