For anybody else who stumbles across this thread, I wanted to summarize because it wasn’t initially obvious to me:
Adding darwin.cctools to the PATH for the affected derivation will fix the problem (since darwin.cctools provides codesign_allocate). One way to do so is something like:
nativeBuildInputs = lib.optional stdenv.isDarwin darwin.cctools;
That workaround would no longer be necessary once something like darwin.postFixupSignHook: use absolute path to codesign_allocate by sternenseemann · Pull Request #148282 · NixOS/nixpkgs · GitHub is merged.