I eventually figured out why I was getting the vague:

Error: SignerSign() failed.
(-2147467259/0x80004005)

The missing piece was permissions at the Trusted Signing account level.
Even though I was the Owner of the Azure subscription, it is not enough to actually sign. You must also have the Trusted Signing Certificate Profile Signer role assigned.

Once I added my user to the Trusted Signing account with the Trusted Signing Certificate Profile Signer role, the signing command started working immediately.

✅ Fix: Assign the user/service principal the Trusted Signing Certificate Profile Signer role on the Trusted Signing resource.

After that, my signtool post-build step was able to successfully sign both DLLs and the MSI installer.