Custom Secure Boot Keys - How to sign firmware?


I’m setting up Fedora 37 with full disk encryption, unified kernel image and automatic LUKS unlocking via TPM2. So far pretty much everything works, but I’m running into issues using my own keys for secure boot.
As soon as I enroll my keys, the system (Gigabyte X570 Aorus Master with Ryzen 59000X, Radeon 5700XT and GeForce 1070) will boot loop with no display output. Luckily I can recover it with BIOS flashback. The Arch wiki mentions the possibility that enrolling your own secure boot keys may brick your system “due to the fact that some device (e.g GPU) firmware (OpROMs), that get executed during boot, are signed using Microsoft 3rd Party UEFI CA certificate”. Well, it seems that I am running into this issue. I think this thread is talking about that same situation.

Is there any way to get a hold of all the firmware that gets executed during boot or even just a hash that I could sign and put into my signature database? The only alternative I see is signing that Microsoft certificate and putting it into the signature db, which would somewhat defeat the purpose of having my own keys…

As an aside: I tried signing the unified kernel image with my MOK key that I use for signing kernel modules, but the firmware won’t boot that with secure boot enabled. Are MOK keys no good for that?