Certificate signing with a custom CNG Key Storage Provider (KSP) for remote signing fails in Protected Mode

I am implementing remote signing through a custom Windows CNG Key Storage Provider (KSP) and testing it in Adobe Acrobat Reader.

Everything seems to work fine as long as “Enable Protected Mode at startup” is disabled:

• I can “Use a certificate → Digitally Sign”, the certificate is visible and selectable in Acrobat
• I can preview the signature, click sign and apply the siganture
• The file saves without a problem

As soon as I “Enable Protected Protected mode at startup”, it seems to work well up untill I click sign:

• I can “Use a certificate → Digitally Sign”, the certificate is visible and selectable in Acrobat
• I can preview the signature
• Nothing happens when I click sign; no error message, not anything; jsut nothing

I understand “Protected Mode” may block some of the components; as far as I can tell, it loads the KSP DLL, calls GetKeyStorageInterface, calls OpenProvider, then stops. No calling of GetProviderProperty,  EnumAlgorithms, etc.

Is certificate signing through a third-party custom CNG KSP supported by Acrobat when Protected Mode is enabled? If yes, are there any specific trust, signing, registration, or sandbox compatibility requirements for the provider DLL?