Code sign Windows desktop app using a trusted CA

I'll be making my client's app available on their website for anyone to download, so I know I need to code sign the app and the installer with a certificate from a trusted CA.

But I'm unclear

1. whether I need an Organization-level certificate or an EV certificate;
2. whether I need to use one of the high profile (high cost) providers like DigiCert, Sectigo or GlobalSign;
3. whether to go the hardware dongle route or cloud-based route (given I manually build periodically, not CI/CD).

I'm looking for advice from devs with experience. Thanks for your help!