There seems to be some kind of bug in the AWS web console around users assigning MFA tokens. If a user starts the process then get cold feet and back-out, it still creates an unassigned token, blocking their completion of the process during futute attempts. The only way around this seems to be using the AWS CLI to find the token and delete it.
Firstly, to find the token use the following command. Unassigned MFA devices are listed at the top, so you will probably find it there.
aws iam list-virtual-mfa-devices
Use the following command to delete the troublesome MFA device. Of course, use the ARN of the device you wish to delete.
aws iam delete-virtual-mfa-device --serial-number=<ARN OF MFA DEVICE>