BTW, in the soon coming SetupBuilder 2022 you can see the error messages (in a human readable form) returned from the signtool.exe. This is not possible in SetupBuilder 2019. signtool.exe only returns an error code value when called from a Windows API.

Another idea: try to develop a small application that uses the ShellExecute Windows API to execute the signtool.exe and let it code-sign a test.exe (do NOT use the command line or a batch!). This is exactly what the SetupBuilder compiler is doing. It calls signtool.exe via ShellExecuteA and passes the required switches and parameters. IMO, this will also fail in your case (because SafeNet might not be correctly configured?!). From the calling program's point-of-view, there is no difference between signing with a PFX or an EV certificate.