Starting 2023-06-01, new rules went into effect which require a hardware backed private key for a code signing certificate. The new rules make code signing in CD pipelines more difficult unless you give up control of your private key completely to a cloud service provider. Some emboldened authorities are even charging you for the privilege of using said private key which you must still pay for.

What do you think? Is this even more of a grift, or a step in the right direction for security?

It's even more of a grift, especially since the choices for verifying the rule is actually followed are either "trust me bro" or Treacherous Computing.