@Matthijs: If I'm understanding this correctly, the 3rd party developer builds the Windows Phone application and packages it in a XAP (not sure if it is signed or not signed at this point by the 3rd party developer). The XAP is then given to the enterprise where they can sign it and publish it in their private store.
What about enterprise customers who do not run a private store (i.e. small customers)? Can the 3rd party developer run a private store? This must be where you mention "give them access by an account or token". It seems like the customer's machines could only be enrolled in one store and in the case of a smaller customer it wouldn't make sense to have them NOT be enrolled in Microsoft's public store. This area is foggy.