From what I can make out there BL is burned/flashed to efuse and secure boot flag is then set which is irreversible then.
boot.img is then signed and this is used to boot the system.
Without the keys that Xiaomi used we obviously can’t build signed images unless Xiaomi used the standard certificates but it’s been a while since any OEM did this.
Strange still that Armbian can boot because they are not using signed boot images.