I think this INTEGRITYCHECK flag silently moved from mandatory simple signature check to hardened signature check. Like it's expected to be used for sensitive code only that needs strict signature checks like AMSI or LSA. Hence it requires MS signature like drivers, just for user-mode. And documentation completely misses this change.
I kept digging it and today I was able to run it using a dirty hack: I signed it at dev portal as LSA. Obviously it has nothing to do with LSA, but I didn't (and still don't) see the right way to do it. After that the file has 2 signatures: mine and Microsoft Windows Software Compatibility Publisher. This way it runs. I know, it doesn't shed much light on why it still fails to run in its original form and I still don't know the right way to do it, but at least there is some dirty hack to make it work.
I'll be really grateful if someone tells me what's wrong with my file or what's the right way to do it.