As mentioned above you have to approve the binary two times (at least), being careful the first time because the dialog popup offers to remove the binary. Also since our product has some networking to do one has to mingle with firewall settings to allow the binary to do the networking.
To check I did this: removed the signature (LC_CODE_SIGNATURE section) using lief Python package (no affiliation, just looked suitable for the task), checked by otool that the section is indeed gone, started the binary - it worked. The spctl said that the binary is "rejected", but it says so about every non-Apple binary I checked on my machine so not informative. The codesign tool shows "is not signed at all" on the binary with stripped signature.
I'm not too well-versed in OSX system/dev tools, so if there is a more correct/precise method of checking the signatures I'd very much like to know.
Nope, 15.7.2. Maybe there are some settings, unknown to me, that are configured by MDM and that allow for such behaviour - our Macbooks are managed by the employer and are intended for development, so would be logical to set them up this way.