I did indeed solve the issue reported here. The problem must have been somewhere between my ears. Once you do it right, it works 😉
While sigcheck from Sysinternals is a very nice tool, it simply does not compare to signtool. In particular it lacks the ability to check for signing according to the rules of the Kernel Signing Policy. signtool does that easily.
signtool verify /kp ...
All that was needed was to add /ac and the file name of the root certificate from MS (details will be available at your code-signing certificate issuer). For me it was:
signtool sign ... /ac MSCV-VSClass3.cer ...
That solved it.
// Oliver