When I started down the rabbit hole with struggling to get the packager to work, I purged all provisions/certificates from ~/Library/MobileDevice/Provisioning Profiles and multiple purges of the Intermediate and Saved folders within the project. The only certificates that were loaded (via direct import) were the distribution provision and matching certificate.
I agree with the theory regarding DefaultEngine.ini being the ultimate decider of which pair to use (witnessing 4.12.5 behavior of a complete end-to-end cook). Hopefully, your diligence will help the UE4 engine developers get closer to the real answer for what I believe has been a bug since pre-4.13. I can’t believe that this didn’t get addressed in the 4.13.2 patch (as a blocking bug) since Epic realizes that companies do actually develop for the App Store (including Epic Games).