When installing the latest DBX list, it fails because the size of OVMF-VARS is too small.  the  edk2-ovmf does provide a bigger OVMF-VARS in the directory /usr/share/edk2/ovmf-4m.

The specification for selecting the OVMF version is controlled by files in the directory /usr/share/qemu/firmware provided by the qemu project.  Currently it does not provide the ovmf-4m version.

I created the file /usr/share/qemu/firmware/20-edk2-ovmf-x64-sb-4m-enrolled.json as a copy of /usr/share/qemu/firmware/30-edk2-ovmf-x64-sb-enrolled.json with the following differences

--- /usr/share/qemu/firmware/20-edk2-ovmf-x64-sb-4m-enrolled.json	2023-07-28 16:06:57.046773014 +0200
+++ /usr/share/qemu/firmware/30-edk2-ovmf-x64-sb-enrolled.json	2023-06-26 02:00:00.000000000 +0200
@@ -6,11 +6,11 @@
     "mapping": {
         "device": "flash",
         "executable": {
-            "filename": "/usr/share/edk2/ovmf-4m/OVMF_CODE.secboot.fd",
+            "filename": "/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd",
             "format": "raw"
         },
         "nvram-template": {
-            "filename": "/usr/share/edk2/ovmf-4m/OVMF_VARS.secboot.fd",
+            "filename": "/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd",
             "format": "raw"
         }
     },

With that in place I can create a new VM and I can update the dbx list without problems

Reproducible: Always