Here is the output of the batch file (redacted for names) that works, if it helps. (removing /debug did not change error code)
C:\Users\Admin>"C:\Signtool\x64\signtool.exe" sign /debug /v /fd SHA256 /tr "
http://timestamp.acs.microsoft.com" /td SHA256 /dlib "C:\Azure\microsoft.trusted.signing.client.1.0.59\bin\x64\Azure.CodeSigning.Dlib.dll" /dmdf "C:\Signtool\metadata.json" "C:\Installers\TestInstaller.exe"
Trusted Signing
Version: 1.0.59
"Metadata": {
"Endpoint": "
https://eus.codesigning.azure.net/",
"CodeSigningAccountName": "<name>",
"CertificateProfileName": "<profile name>",
"ExcludeCredentials": []
}
Submitting digest for signing...
OperationId <id codes>: InProgress
Signing completed with status 'Succeeded' in 2.5003159s
Successfully signed: C:\Installers\TestInstaller.exe
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0