Certificate Authorities trusted by Microsoft for the purpose of Code Signing would need to issue you a certificate with the appropriate EKU (Extended Key Usage, saying this is for Code Signing). Technically a user could add some CA you span up for this purpose to their Windows install, but if you're going to all this bother you could just get them to click past the warning of course...
The CCADB can tell you which CA roots are trusted by Microsoft for this purpose:
You're looking for a CA which has Microsoft Trust Bits including Code Signing, and Microsoft Status of "Included"
Price: A couple of hundred bucks per year. Vendors with very well known brands like DigiCert's "Symantec" brand (famous despite the fact Symantec actually ran their CA so terribly they ended up selling the brand to DigiCert... the CA they'd operated was distrusted) maybe $500 and year and higher. But your users don't care about the brand, so pick a cheaper product like Sectigo's they work just the same.
It's a little more expensive if you want "Extended Validation" aka "EV Code Signing". If you write Windows kernel drivers you need this, otherwise it might only make the UI shown to inquisitive users nicer so don't bother unless you hate money.
NB. Yes ISRG (the people behind Let's Encrypt) are trusted by Microsoft but no they aren't trusted to provide Code Signing certificates, even if they wanted to, which they do not.
My boss doesn't want to pay for a certificate so now all my Windows 10 users (we still have some Win 7 installs out there and even a couple XP) never update my ClickOnce apps.
And this is why out of spite I developed "ClickTwice". It's certainly not as good as ClickOnce but least I ensure they use the latest version of the apps I dev.