A follow up to my post above, I’ve found that Jsign (v7 and up) has a nicer Azure Trusted Signing implementation than Signtool, though it does require using Azure CLI to grab a (short-lived) access token, so embedding it as follows avoids hard-coding that token…
jsign \
--storetype 'TRUSTEDSIGNING' \
--keystore '{{region}}.codesigning.azure.net' \
--alias '{{account}}/{{profile}}' \
--storepass (az account get-access-token \
--resource 'https://codesigning.azure.net' \
--query 'accessToken' \
) \
'{{my-binary}}.exe'
It has sensible defaults so you don’t have to specify as many flags as with signtool, plus it works on Windows/Linux/MacOS.