Here is what seems to have worked for me for a Xojo app distributed via a signed DMG.
1. Open the Application Loader developer tool in Xcode. Log in to your developer account and check the box to remember the login so a keychain entry is created. This allows you to skip entering your password in subsequent steps.
2. Code sign your app with the hardened runtime option (you may need entitlements if you are accessing any protected resources). For example:
$ codesign --force --options runtime --deep --sign "Developer ID Application: COMPANYNAME" MYAPP.app
3. Bundle the app into a signed DMG for distribution. Steps omitted.
4. Upload the signed DMG for notarization:
$ xcrun altool --notarize-app -f MYAPP.dmg --primary-bundle-id MYBUNDLEID -u MYAPPLEID -p @keychain:"Application Loader: MYAPPLEID"
5. A RequestUUID is returned. Periodically check the status of the notarization until it has completed:
$ xcrun altool --notarization-info REQUESTUUID -u MYAPPLEID -p @keychain:"Application Loader: MYAPPLEID"
6. When the notarization is complete, staple the ticket to the DMG:
$ xcrun stapler staple -v MYAPP.dmg
7. After installing your app, verify that it is notarized:
$ spctl -a -v /Applications/MYAPP.app MYAPP.app: accepted source=Notarized Developer ID