MacOS Ventura: Unable to replace application bundle in /Applications

I am trying to replace an application bundle at /Applications/example.app with an updated version of the same bundle on OSX Ventura and I get Operation not permitted. Both bundles are signed and notarized with the same identity. Inside both applications bundles I have a tool called swap which takes two paths, and does a renamex_np(pathA, pathB, RENAME_SWAP) which results in Operation not permitted. I can run codesign -dvvv <appbundle> for both app bundles, and can see the Authority, TeamIdentifier, Identity all set, and are the same for both. I also do this same command on the swap app, and see Authority, and TeamIdentifier match the bundle, with Identifier=swap.

The notification pops up saying "Application X was prevented from updating or deleting apps on your Mac."

Some notes:

• If I allow the app under App Management, it works.
• The app bundle app can modify itself however it wishes.
• For signed apps, macOS allows apps from the same developer — those sharing the same Team ID — to modify the app’s bundle. This does not seem to be working.
• WWDC2022 video. Repeats the above point: apps signed with same Team ID can update each other. Jump to 5min. Signing issue?
• Console log shows TCC (Transparency, Control and Consent) kTCCServiceSystemPolicyAppBundles is blocking the application. TCC was extended to /Applications folder in Ventura.

Help! Thanks

After the massive set of evidence that suggested everything was in-place, I starting thinking the Gatekeeper mechanism was out of sync with reality, and did a reboot. After this I ran the application, hit update, and the package was replaced without issue.

Some notes:

• The application is standalone (plist or entitlements are not required).
• We are actually using replaceItemAt... over renamex_np. Be sure to do this operation for targets on the same volume!