Testflight entitlements break local version

Hello,

I cannot build a signed app that will both be accepted by Testflight and run locally. Only one or the other!

I'm singing my .app and building the package thus:

CODESIGN_ID="Apple Distribution: company (number)"
INSTALLSIGN_ID="3rd Party Mac Developer Installer: company (number)"
codesign --force --deep --entitlements plist.xcent -o runtime --timestamp --sign "$CODESIGN_ID" myapp.app
productbuild --sign "$INSTALLSIGN_ID" --timestamp --component myapp.app /Applications myapp.pkg

With entitlements:

<?xml version="1.0" encoding="UTF-8"?>
<plist version="1.0">
<dict>
	<key>com.apple.security.get-task-allow</key>
	<false/>
        <key>com.apple.security.app-sandbox</key>
      	<true/>
        <key>com.apple.security.network.client</key>
       	<true/>
        <key>com.apple.security.files.user-selected.read-write</key>
        <true/>
        <key>com.apple.security.inherit</key>
        <true/>
        <key>com.apple.application-identifier</key>
        <string>TEAM.com.COMPANY.APPNAME</string>
	<key>com.apple.developer.team-identifier</key>
	<string>TEAM/string>
</dict>
</plist>

If I leave out the last two entitlements "com.apple.application-identifier" and "com.apple.developer.team-identifier", the package validates and runs locally. It can be uploaded but it is NOT accepted by Testflight.

When i add the last two entitlements (above), it will not validate until i also add in my provisioning profile into; myapp.app/Contents/embedded.provisionprofile

When this is done, the package validates, uploads and is accepted by Testflight. It can be tested and runs.

But, myapp.app will no longer run locally!! no will the local copy of myapp.pkg install. It will only run through Testflight or will run again if i take out the above keys that Testflight apparently requires.

Can anyone shed any light on this? Am i doing something wrong.

Thanks for any help.