At ACM SCORED last year, I gave a talk on exactly this topic: https://dl.acm.org/doi/10.1145/3689944.3696350

Conceptually, you nailed it with the last mile. You want to tie the runtime service's attestation report to the provenance that was generated at build time (and signed by the attested build environment). You can do this by including a copy of it with the service and serving it directly; or the build environment can publish it to a place where clients can later look it up using the Confidential Computing service's attestation measurements.

SLSA is also integrating Confidential Computing as a way to get stronger guarantees about the build environment: https://slsa.dev/spec/draft/attested-build-env-levels#builde... . There was another talk at ACM SCORED about the tradeoffs of hardware-attested vs. reproducible builds: https://dl.acm.org/doi/10.1145/3689944.3696351