Hey there!
That’s because PXE booting with Secureboot expects you to have the whole cert chain correctly, which means, as you already noticed booting with the Rocky shim and then trying to install Alma, Ubuntu, RHEL or any other distro will end in a bad shim error.
Coming from the Foreman world, I know that a team there has been working on implementing a function that serves individual shims for each different distro that gets PXE booted,
it basically boils down to the DHCP server being managed by Foreman and serving the correct shim to the correct distro to boot 
There was also a talk about that on multiple conferences up to now, the last one being the CfgMgmtCamp:
Maybe this helps you too if you just want to implement this yourself the barebones way 