Unsatisfied entitlements: com.apple.developer.networking.networkextension for packet-tunnel-provider-systemextension

We are trying to develop a packet tunnel system extension. When we try to start our main application from within Xcode, it crashes immediately with

EXC_CRASH (Code Signature Invalid)

Looking at the Console, it says

Unsatisfied entitlements: com.apple.developer.networking.networkextension

Running

codesign -d --entitlements - ${PATH_TO_OUR_APP}

says

<dict>
    <key>com.apple.application-identifier</key>
    <string>${OUR_TEAM_ID}.${OUR_APP_ID}</string>
    <key>com.apple.developer.networking.networkextension</key>
    <array>
        <string>packet-tunnel-provider-systemextension</string>
    </array>
    <key>com.apple.developer.system-extension.install</key>
    <true/>
    <key>com.apple.developer.team-identifier</key>
    <string>${OUR_TEAM_ID}</string>
    <key>com.apple.security.application-groups</key>
    <array>
        <string>${OUR_TEAM_ID}.${OUR_APP_ID}</string>
    </array>
    <key>com.apple.security.get-task-allow</key>
    <true/>
</dict>

Which looks reasonable to us. And running

security cms -D -i ${PATH_TO_OUR_APP}/Contents/embedded.provisionprofile

says

   <key>Entitlements</key>
    <dict>
              
                <key>com.apple.developer.system-extension.install</key>
        <true/>
              
                <key>com.apple.application-identifier</key>
        <string>${OUR_TEAM_ID}.${OUR_APP_ID}</string>
              
                <key>com.apple.developer.networking.networkextension</key>
        <array>
                <string>app-proxy-provider</string>
                <string>content-filter-provider</string>
                <string>packet-tunnel-provider</string>
                <string>dns-proxy</string>
        </array>
              
                <key>keychain-access-groups</key>
        <array>
                <string>${OUR_TEAM_ID}.*</string>
        </array>
              
                <key>com.apple.developer.team-identifier</key>
        <string>${OUR_TEAM_ID}</string>
              
                <key>com.apple.developer.aps-environment</key>
        <string>development</string>
              
                <key>com.apple.developer.networking.vpn.api</key>
        <array>
                <string>allow-vpn</string>
        </array>

    </dict>

As for the system, it is running 10.15.5 (19F101) and

# csrutil status
System Integrity Protection status: disabled.

# systemextensionsctl developer
Developer mode is on

Any ideas what could be wrong?

One thing I noticed is that Xcode offers no way to -systemextension values for com.apple.developer.networking.networkextension, we had to manually edit the entitlements file and now in Xcode the section "Network Extensions" has no checkbox set anymore. Also when looking at the entitlement plist, the values says "packet-tunnel-provider-systemextension" whereas the non-systemextension values are displayed as nice strings but we think that is because Xcode doesn't have any real support for these values yet; albeit system extensions was introduced almost a year ago, so maybe there is something wrong with our project setup?

Anothor thing we noticed is that the embedded provisioning profile doesn't seem to list the -systemextension variants, yet we don't know how to change that. On the developer web site we edited our profil to include "System Extensions" and "Network Extensions" and the ℹ -box says "Developer ID" distribution.

If we remove com.apple.developer.networking.networkextension from the entitlements file, the app starts okay and it can even install our system extension without any problem but when we try to create a connection based on the system extension, this fails as we may not interact with the Network Extension framework without the appropriate entitlement.

Finally, everything works fine if we use packet-tunnel-provider instead of packet-tunnel-provider-systemextension but then we cannot make a Developer ID build as Network Extensions that aren't System Extensions cannot be deployed using Developer ID. In that case it only works when starting a dev build from within Xcode but we get the same issue when trying to start a Developer ID build on another machine. Strange enough notarization did work for that build.