Update: We’ve enabled signing of end-entity certificates containing EC public keys in production.
Big thanks to @hlandau and @selecadm for their help on this!