The error is deliberately vague. You can check the UEFI specification what conditions can result in this error (scroll down to "Status Codes Returned"):

https://uefi.org/specs/UEFI/2.10/08_Services_Runtime_Services.html?highlight=EFI_INVALID_PARAMETER#setvariable

Most likely it is a faulty or incomplete implementation of the (virtual) UEFI.

• Some 'Orrible xVM virtualization solution (whose name I cannot write as it is banned here, sounds something like a nonreal cube), for example, does not implement individual KEK/DB variables for each VM, so they made any write to these variables fail from within the VM. You'd need to update the certificates from the VM managment console while BitLocker is suspended (if used).
• To properly update KEK on Hyper-V machines, both host and guest need to be at least of March 2026 patchlevel (April 2026 in case of hotpatching enabled).
• On physical machines, most likely have a look for a firmware update
• In case the new keys are already updated inside the Default variables, you can also reset secure boot keys to default, while Bitlocker is suspended
• I've seen cases where NVRAM being full resulted in EFI_INVALID_PARAMETER instead of EFI_OUT_OF_RESOURCES. In that case you will need to experiment whether you can free some NVRAM by resetting secure boot variables or resetting UEFI defaults. In case you have been dual-booting Linux and allowed it to write crash dump information to EFI NVRAM, you can clear these from within Linux.

In any case, stating the make and model of your hardware (in your case the virtual hardware, i.e. the virtualization vendor) might help others help you with your particular (virtual) hardware.