I have this problem too and opened a duplicate #939773 earlier with some investigation. Rephrasing my investigation from that duplicate:
In this kernel MOK key gets inserted into the .platform keyring (I see CONFIG_INTEGRITY_PLATFORM_KEYRING is set to true in the kernel config) which isn't used for validation of module signatures. I've found this related bug in Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1701096. There are some links to upstream patches but I've just checked linux master and kernel/module_signing.c is still using only .secondary_trusted_keyring and .builtin_trusted_keyring to verify modules signatures while MOK key is added to .platform keyring.
