The basic explanation is that it prevents binaries that are not signed by default from being loaded during the boot process. It only restricts the booting process in the uefi stage. If an executable has been modified, then it will not load due to secure boot. Technically there is nothing stopping you from modifying say winload.efi and signing it with your own key then adding that key to your bios keystore so that it will pass secure boot checks and still use secure boot.

I think the biggest thing is that the anticheat devs are using Microsoft's CA to check if your efi executable was signed by Microsoft. If that was the case then its all good and you are allowed to play the game you paid money for.

I haven't tested a self-signed secure boot for battlefield 6, I know some games literally do not care if you signed your own stuff, only if secure boot is actually enabled

edit: Someone else confirmed they require TPM to be enabled too meaning yeah, they are using remote attestation to verify the validity of the signed binary