I think I may have found the problem. I can write the file_name.signed created by your scripts in NT32 emulated environment and in EDKII on Minnow board that I build myself. However, I cannot write the file_name.signed on a commercial device. I can write the same authenticate variable with the same Name/GUID and same cert/key on a device when I create the payload in a UEFI Shell app. So the only difference is creating the signed payload by sbvarsign in Ubuntu vs doing it in UEFI. I compared both the working and non-working payloads and the main difference I see is in the timestamp. For some reason sbvarsign writes the Year as 0x0078 (120) vs the UEFI app writing 0x07e4 (2020). The month/day/hour/min seems to be OK, but the year is really off in the sbvarsign's payload. I cannot prove it, but I think the commercial firmware may be having a sanity check for the timestamp date/time, e.g. compare with the device manufacture date. Since sbvarsign does not allow setting a timestamp separately, I cannot force it to create a payload with the correct year.