How to correctly use the developer ID to implement program distribution

Currently, I have implemented a project that includes network extension and system extension entitlements. When I create the profile using the development method, I get exactly the right entitlement matching. For example:

1. create app id (identifier)
2. create a profile, associate with the corresponding app id, generate the profile and download it locally.
3. In xcode, fill in the corresponding app id in Bundle Identifier, such as com.***.test.app, and fill in the corresponding development profile in Provisioning Profile.

At this point I was able to achieve a complete and correct program compiling and running. Now, I want to distribute this app by developer id. According to https://developer.apple.com/developer-id/ , I have several questions remain:

1. I followed this method https://developer.apple.com/help/account/create-certificates/create-developer-id-certificates/ to create a distribution certificate and created two new profiles (distribute- developer id), which is associated with the existing bundle ID (com.***.test.app, com.***.test.extension). But when I import the corresponding provisioning profile in xcode, it shows error:

Provisioning profile "***" doesn’t match the entitlement file’s value for the com.apple.developer.networking.networkextension entitlement. 

But isn't the corresponding entitlement information already selected when the app id is set? Why is the profile of the development type feasible, but the profile of the developer id is not feasible?

1. I have made relevant settings according to this method https://developer.apple.com/documentation/xcode/preparing-your-app-for-distribution/, and I don’t seem to need the hardened runtime and sandbox related content, so I don't have any settings. Maybe apple events in hardened runtime is necessary?

2. Submitting software to apple notarization seems to be a more trustworthy behavior for users, but at this stage I just want to simply implement distribution for program testing, so I chose export in archives-distribute app-developer id, and in the follow-up The same error as in question 1 appeared in the profile selection of the profile:

Profile doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement.

So, overall: One is how to create the correct developer id profile? My two entitlements files are as follows:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>content-filter-provider</string>
	</array>
	<key>com.apple.developer.system-extension.install</key>
	<true/>
	<key>com.apple.security.app-sandbox</key>
	<false/>
	<key>com.apple.security.files.user-selected.read-only</key>
	<true/>
</dict>
</plist>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>content-filter-provider</string>
	</array>
	<key>com.apple.security.app-sandbox</key>
	<false/>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>$(TeamIdentifierPrefix)com.example.app-group</string>
	</array>
</dict>
</plist>

Second, is Apple notarization necessary?