TIL. I can think of many simple ways to mitigate such attacks. Of course, the real solution is, never try to roll your own crypto. Use a well established library whenever possible.
The reason this sort of thing comes up a lot is that it doesn't feel like rolling your own crypto. Developers will be quick to point out that their language of choice has a well established sha 256 library, developed by experts, who did all the crypto rolling. And then they came up with some workflow using it, not expecting this sort of interaction involving the way they use it.
I think (and to be clear this is just addressed at the world as a lament, not directed at you) the issue is that people have an incorrect concept of what the phrase "rolling your own cryptography" even means; when I give talks on security, I always note that while there are tricky issues with some primitives for some use cases involving stuff like "does your code leak information via timing, power usage, caches, etc." that by-and-large the issue isn't about implementing a well-established low-level primitive--or, I will claim (maybe to my peril! ;P), even a high-level protocol--yourself instead of using an existing implementation: it is about coming up with your own design, whether it be your own checksum / hash function / signature algorithm... or your own protocol / scheme for using these primitives to accomplish a goal, as the stuff you will do wrong is not knowing all the corner cases in how to wield the pieces as these low-level cryptographic primitives are not and pretty much can't be leak-proof abstractions: they are little bits of math that often have to be used exactly correctly and even then only still provide some level of protection / risk mitigation against an adversary... when developers waltz in and assume the low-level hash function is in some sense perfect and provides some unbreakable abstract functionality, you are going to think something is trivial that is in fact very very hard.
SHA3 KMAC is almost just this (a keyed hash) --- with a length appended, and some domain separation. You can make a MAC out of a truncated keyed SHA2 hash (but don't).