After struggling to understand what to do, and encountering some errors along the way, I've updated the instructions and scripts in the following ways:

• Made all the scripts executable (had a failure with the service file because it couldn't execute tpm2PolicyConfig)
• Added PCR 8 to the seal, based on some information I found online that's the GRUB, kernel, and boot commandlines. Note: I didn't have issues like PCR 8 dependency unreliable #5, even after a dist-upgrade after sealing against fresh, un-updated Ubuntu install - although I can see the risk.
• Updated README.md with step-by-step instructions
• Updated script with information regarding which password/passphrase is being requested (I didn't know, for instance, that one of the passwords I was entering was for the MOK Enrollment)
• Removed the service file, and instead instructed to run tpm2PolicyConfig directly after conditions have been met. I could be wrong on this, but I had to do some work turning Secure Boot off for Step 1, then back on after Step 1 - but before Step 2. Also seemed to help with clarity about what was going on, and if it was successful
• Taking the persistent-handle right from the output of tpm2_evictcontrol (while still printing to the terminal), this fixes The correct reference isn't always the last one #8 (which I also encountered)