After much consideration and testing, I came up with the following approach:
I created a service account and gave only this account the right to request a signing certificate. I did this on a test client and exported the certificate as .cer and .pfx (with private key and +16 digit password).
The .cert I added via GPO on all clients as "Trusted Publisher" and the .pfx file I put on a network drive folder where only the CodeSign users have access.
Now I have written a Powershell script, with which the CodeSign users can simply sign a script via drag & drop box. The script also imports the certificate when it starts and deletes it from the client after closing the script.
Additional info:
The certificate is valid for 1 year (so I will renew it every year).
The already signed scripts remain valid after one year, thanks to a public timestamp server.
Thanks for your many helpful answers.
If you have any suggestions for improving the process, feel free to share them.