There is a member on the SUMO forum that had a question about addon signing. They are making a private addon for a company and part of their contract is that it can’t be shared with third parties. Therefore, submitting the addon to AMO for signing doesn’t work because the XPI is stored on Mozilla servers.
I see that Mozilla now offers alternative signing methods, one of which is the web-ext sign command. I’ve never used this before, but does the addon get uploaded to AMO at any point during the automated signing process?