Secure Boot - Custom signed bootloader

Through Secure Boot on Windows 10, I am trying to make it so that only a bootloader signed with my private key can boot on a machine. This means that even if someone else comes along with a Microsoft trusted OS with all the digital signatures, it should fail to boot because it was not signed with my private key. As for the reason why I want to do this, I was told to do so I must find a way.

What I have done is deleted the firmware keys (PK, KEK, DB, DBX) in my BIOS, and enrolled my own public keys which I generated using OpenSSL. I then created a bootable USB disk using Rufus, signed the Windows bootloader, bootx64.efi, using sbsign with the corresponding private key (DB.key) effectively replacing Microsoft's signature with my own.

But when I try to boot via the USB, I get a blue screen with the following error:

The digital signature for this file couldnt be verified

Error Code 0xc0000428

It does not say which file though so I thought I had to sign all the .EFI binaries and then put them on the USB disk which is what I did but the same error occurred. I also tried disabling Secure Boot and see if that would change anything but it still gave me the same error.

How can I get this to work? Am I missing something else here?