To get your code sample to work, you need to replace Url::query('token') with get('token').
However, this code is not checking that the token is valid – any URL containing a non-empty token parameter would give access to the preview. Maybe this thread helps investigating further, if that’s what you need; sounds like a check for being logged-in – something like if(kirby()->user()) – might be the easiest, whereas generating and validating a bespoke token for a virtual page might be tricky …but maybe somebody more knowledgeable might still chime in with a suggestion here?