Azure Artifact Signing: SignTool "Access is denied" with active Public Trust profile

I’m blocked on Azure Artifact Signing for Windows EXE signing.

What is already confirmed:

- Account endpoint: https://wus2.codesigning.azure.net/

- Code signing account: notarios

- Certificate profile: notarios-public-trust (Public Trust, Active)

- Identity validation: Completed

- User object id: 9aa27294-c04d-4aab-a7b2-3a8b10be96f9

- RBAC includes:

- Artifact Signing Identity Verifier

- Artifact Signing Certificate Profile Signer

(also assigned at certificate profile scope)

Signing command (signtool 10.0.26100.0 x64 + dlib):

... sign /v /debug /fd SHA256 /tr http://timestamp.acs.microsoft.com /td SHA256 /dlib "<...>\\Azure.CodeSigning.Dlib.dll" /dmdf "C:\temp\metadata-corr.json" "C:\temp\notarial-app-test.exe"

Error every time:

- SignTool Error: Access is denied.

- Number of files successfully Signed: 0

I also tested Azure CLI auth and explicit AccessToken in metadata; same result.

CorrelationId for troubleshooting:

- notarios-20260425-1859

If anyone from Microsoft can check backend logs for that CorrelationId, I’d appreciate the exact reason and remediation.