"Fortinet Support directed us to only create local user accounts on the Fortinet and not use Radius or LDAP, which isn't really an answer as then you're trying to maintain separate login credentials vs. normal AD credentials, which isn't practical for more than a few users."
I was able to get this to work WITH LDAP/AD... The difference being, a "user group" in the FortiGate that uses LDAP/RADIUS as a "Remote Authentication Server" doesn't seem to work at all with FortiTokens because of the case sensitivity issue; however, "local users," who are of type "LDAP" or "RADIUS" and themselves authenticate against LDAP or RADIUS, added to a different "user group," DOES work with FortiTokens, since you can assign the token to the local user.
This is not the perfect solution, because, as you say you would have to maintain a "local user" account on the FortiGate for each user that needs access in LDAP or RADIUS (but you'd need to do that anyway to assign the FortiToken); however, you don't need to maintain login credentials (since that can still be handled with LDAP or RADIUS). Meaning, the username must be duplicated as a local user, but password authentication is handled from AD/LDAP/RADIUS and FortiToken authentication is handled from the FortiGate.
Oh, and IMHO, the FortiGate "local user" username should be all lowercase, and you should tell your users to use all lowercase when connecting (or some other simple and enforceable format). If the case doesn't match, the user won't be found in the FortiGate local users, and access will be denied.
Hope this helps.