As
@thals1992 mentioned, the AETX contains a certificate store for Microsoft's "Enterprise" applications. It contains the top CA (Symantec Enterprise Mobile CA for Microsoft) as well as what seems to be a unique SPC linking it back to the original App Studio account (the SPC certificate's subject contains my unique ID). The SPC certificate (public key only) contains the "Enterprise" OID (2.16.840.1.113733.1.8.52.1).
The "EnrollmentToken" found in the provxml content is contained in a <AET> element. This element is signed using the standard XML signing format. So if we were to modify it and inject our stuff in there, we'd still need to sign it using a valid MS certificate (I'm guessing). Nonetheless, this is a provxml request so, who knows what other kind of data we can put in there...
One more thing that I could add is that the "AETX" file types are associated to "\programs\EnterpriseInstall\EnterpriseInstall.exe". The application is launched with the following argument: TOKEN={0}&TYPE=.AETX (where {0} is something - maybe the XML content of the <AET> element?). This is the exact same application that's used for regular XAP files; the only difference is the "TYPE" query string is set to ".XAP" instead of ".AETX". I'm able to call this exe and pass the parameters manually using my "Native Toast Notification Launcher" app and inputting the following URI (replace {0} and {1} accordingly): app://DA52FA01-AC0F-479D-957F-BFE4595941CB/DefaultTask?TOKEN={0}&TYPE=.{1}
Note: I haven't tried to actually pass the <AET> data yet to EnterpriseInstall.exe, I'm too tired, I'll try that tomorrow...