I would like to allow standard users to install my application that require elevated permissions, for example, installing "Per machine" that writes to C:\Program Files.
There's a number of ways to do this, but the least intrusive (compared to advertising/publishing/SCCM) seems to be enabling the group policy "Always install with elevated privileges".
This obviously is a security risk, but can it be properly mitigated by configuring AppLocker to run only MSIs signed by one or more specific publishers or are there some workarounds to abuse this?
Applocker could be an acceptable compensating control. It could be configured with rules to allow signed MSI's from the vendors that you specify, which presumably would also include Microsoft and your hardware vendor.
This is probably more realistic than using Applocker to restrict executables due to MSI installation by end users is actually quite rare, and restricting executables to only approved signers can trip up even the largest vendors (HP or Dell occasionally release an unsigned binary).
One downside is if you haven't used Applocker, adoption isn't trivial and you probably want to test it thoroughly by identifying all of the vendors you will need to allow. However AppLocker no longer has SKU restriction, and will work on Windows 10/11 Professional since 2022.
https://support.microsoft.com/en-us/topic/kb5024351-removal-of-windows-edition-checks-for-applocker-e3a763c9-6a3e-4d9c-8623-0ffe69046470
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/requirements-to-use-applocker