Azure Trusted Signing - 403 Response - Official GitHub Action - Previously Working

I am using Azure Trusted Signing with the official GitHub action. This was working last month, but I am now getting a 403 error. Here is my GitHub action

name: Official Azure Trusted Signing - Test Workflow
on:
  push:
    branches: [main]
permissions:
  id-token: write
  contents: read
env:
  AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
  AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
  AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
jobs:
  build-and-sign:
    runs-on: windows-latest
    name: Build app and sign files with Trusted Signing
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Install Rust Toolchain
        uses: dtolnay/rust-toolchain@stable
      - name: Build Application
        run: cargo build --release
      - name: Azure login
        uses: azure/login@v2
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
      - name: Sign files with Trusted Signing
        uses: azure/trusted-signing-action@v0
        with:
          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
          azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
          endpoint: ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }}
          trusted-signing-account-name: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }}
          certificate-profile-name: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME }}
          files-folder: ${{ github.workspace }}\target\release
          files-folder-filter: exe,dll
          file-digest: SHA256
          timestamp-rfc3161: http://timestamp.acs.microsoft.com
          timestamp-digest: SHA256
          exclude-environment-credential: true

I get a 403 with the error: "Error: SignerSign() failed." (-2147467259/0x80004005)

According to the FAQ this indicates that I am trying to sign as a "Service Principle with Certificate", and I must define the environmental variable AZURE_CLIENT_CERTIFICATE_PATH

It does not make sense that I would predefine the path of the certificate when using this action. I would assume the action would define this path to the signer.

Please help. This is a longer print of the error from my GitHub action logs:

Version: 1.0.95
"Metadata": {
 "Endpoint": "***",
 "CodeSigningAccountName": "***",
 "CertificateProfileName": "***",
 "ExcludeCredentials": [
 "EnvironmentCredential",
 "InteractiveBrowserCredential"
 ]
}
Submitting digest for signing...
Unhandled managed exception
Azure.RequestFailedException: Service request failed.
Status: 403 (Forbidden)
Headers:
Date: Tue, 28 Oct 2025 14:39:02 GMT
Connection: keep-alive
Strict-Transport-Security: REDACTED
x-azure-ref: REDACTED
X-Cache: REDACTED
Content-Length: 0
 at Azure.CodeSigning.CertificateProfileRestClient.SignAsync(String codeSigningAccountName, String certificateProfileName, SignRequest body, String xCorrelationId, String clientVersion, CancellationToken cancellationToken)
 at Azure.CodeSigning.CertificateProfileClient.StartSignAsync(String codeSigningAccountName, String certificateProfileName, SignRequest body, String xCorrelationId, String clientVersion, CancellationToken cancellationToken)
 at Azure.CodeSigning.Dlib.Core.DigestSigner.SignAsync(UInt32 algorithm, Byte[] digest, SafeFileHandle safeFileHandle, CancellationToken cancellationToken)
 at Azure.CodeSigning.Dlib.Core.DigestSigner.Sign(UInt32 algorithm, Byte[] digest, SafeFileHandle safeFileHandle)
 at AuthenticodeDigestSignExWithFileHandleManaged(_CRYPTOAPI_BLOB* pMetadataBlob, UInt32 digestAlgId, Byte* pbToBeSignedDigest, UInt32 cbToBeSignedDigest, Void* hFile, _CRYPTOAPI_BLOB* pSignedDigest, _CERT_CONTEXT** ppSignerCert, Void* hCertChainStore)
Error information: "Error: SignerSign() failed." (-2147467259/0x80004005)
SignTool Error: An unexpected internal error has occurred.
Exception: 
Error: Process completed with exit code 1.