The Fedora secure boot signing keys were updated after F32 was initially released to deal with the grub2 problems found during the summer. I believe some systems have needed firmware updates from the manufacturer to work with the new key because they worked by white listing the old set, and don't know how to handle when a new key signed and authorized is presented. I don't know how the Surface Pro does its firmware updates and if one is needed.