If I had my 'druthers, there would be a kind of physical vending machine installed at local city hall or whatever, which leverages physical controls and (dis-)economies of scale.

The trusted machine would test your ID (or sometimes accept cash) and dispense single-use tokens to help prove stuff. For example, to prove (A) you are a Real Human, or (B) Real and Over Age X, or (C) you Donated $Y On Some Charity To Show Skin In The Game.

That ATM-esque platform would be open-source and audited to try to limit what data the government could collect, using the same TPM that would make it secure in other ways. For example, perhaps it only exposes the sum total of times each ID was used at machine, but for the previous month only.

The black-market in resold tokens would be impaired (not wholly prevented, that's impossible) by factors like:

1. The difficulty of scaling the physical portion of the work of acquiring the tokens.

2. Suspicion, if someone is using the machine dozens of times per month—who needs that many social-media signups or whatever?

3. There's no way to test if a token has already been used, except to spend it. By making reseller fraud easy, it makes the black-market harder, unless a seller also creates a durable (investigate-able) reputation. I suppose people could watch the vending-machine being used, but that adds another hard-to-scale physical requirement.

>Think about it - the claim is that those systems can prove aspects of someone's identity (eg age), without the site where the proof is used obtaining any knowledge about the individual and without the proof provider knowing where the proof is used.

That is not nessisarially true. There are ZK setups where you can tell when a witness is reused, such as in linkable ring signatures.

Another simple example is blind signatures, you know each unblinded signature corresponds to a unique blind signature without knowing who blinded it.