I never used this enrollment token approach, but if I'm not wrong it works only on specfic scenarios, like your nodes will have all the roles and the certificate will be auto-generated.
The documentation for the bootstrapping a cluster assumes that your nodes will have all roles, so you will already have a bootstrapped cluster and could use the enrollment token, this is not your case since you want to have master dedicated and data dedicated nodes and you need nodes with master, data_content and data_hot roles.
My suggestion would be to configure your data_hot/data_content nodes to also be master nodes and start all the 5 nodes at the same time and wait for the cluster formation.
After that you could remove the master role for the data nodes and restart them.