You can create a TemplateVM (for example deb-veracrypt), install veracrypt in it, then create a DispVM Template (for example deb-veracrypt-dvm). Finally connect the usb device from sys-usb to the DispVM.
To create a DispVM template:
[user@dom0 ~]$ qvm-create -t deb-veracrypt -l red --prop template_for_dispvms=true --prop netvm='' deb-veracrypt-dvm
[user@dom0 ~]$ qvm-features deb-veracrypt-dvm appmenus-dispvm 1
Reminder: if you want the veracrypt package to persist and be usable in different vms, you have to install it in the TemplateVM.