I must say your experience is interesting. I am using https://signmycode.com/sectigo-code-signing, but I have chosen Install on Existing Token (Google Cloud KMS), and it's quite easy for me to handle the stuff. I am not scared of key storage or security issue nor password protection or forget issue.