I didn't request fwupdmgr update --verbose, I requested fwupdtool update --verbose. There was a reason I requested that difference.
Anyway though; the problem is very clear now from your output from fwupdgmr as well.
Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/efi.factory/boot/bootx64.efi Authenticode checksum [2ea4cb6a1f1eb1d3dce82d54fde26ded243ba3e18de7c6d211902a594fe56788] is present in dbx
What is going on is that the ESP contains another bootloader that is used for the recovery partition, which if secureboot DBX update was pushed down would no longer be able to execute. This other bootloader needs to be updated before the DBX update will be accepted.
I didn't request fwupdmgr update --verbose, I requested fwupdtool update --verbose. There was a reason I requested that difference.
Anyway though; the problem is very clear now from your output from fwupdgmr as well.
Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/ efi.factory/ boot/bootx64. efi Authenticode checksum [2ea4cb6a1f1eb1 d3dce82d54fde26 ded243ba3e18de7 c6d211902a594fe 56788] is present in dbx
What is going on is that the ESP contains another bootloader that is used for the recovery partition, which if secureboot DBX update was pushed down would no longer be able to execute. This other bootloader needs to be updated before the DBX update will be accepted.