This is possible because our Script VM has TX introspection opcodes (activated in '22) + OP_CAT + OP_SPLIT.
The PoC quantum-resistant contract needs no signatures! It's just a hash-lock but with an additional requirement: another input must reveal an aged commitment to the prevout + output contents of the TX.
This is something only the person who knows the secret is able to produce ahead of revealing the secret. Once he spends he will reveal it, but he'll already have the aged commitment and others won't be able to steal his funds.
With CashTokens, we can work around the problem of address reuse. You'd hand out a static pay-to-token address, and the associated NFT would be held in a quantum-secure contract which would be used to collect the funds sent to pay-to-token and rotate the secret on each spend.
More details: https://bitcoincashresearch.org/t/quantum-resistant-one-time-use-lock/1197