keytool uses CertAndKeyGen to generate a basic self-signed certificate with no extensions. When -ext option was introduced, -genkeypair was implemented as original -genkeypair plus -selfcert, and extensions info was added in the -selfcert step.
This means the keystore object is modified twice in this single operation. In the case of PKCS11 or MSCAPI, it is actually written to the token twice. If a token can only be written once, the action will fail.