I have the same key pair for both avb and ota signing (so the parameter for --key-avb and --key-ota is the same, though the passphrase to decrypt the private key still needs to be typed twice, but may be omitted if the private key is not encrypted), and use the following script to make lockable personal ota packages:
#!/bin/sh
exec "$HOME/git/avbroot/target/release/avbroot" ota patch \
--key-avb "$1" --key-ota "$1" --cert-ota "$2" \
--rootless --clear-vbmeta-flags -i "$3" -o "$4"
“$3” is the ota package to be resigned, “$4” is the path to save the resigned output.
You can use the current build process to produce non-lockable ota packages, and then use avbroot and the same key pair(s) to turn them into lockable ota packages by resigning.