There's no need to embed private key into the image. You can do it like this:
1) During the initial boot you generate a random keypair in the shim loader. Store the public part the keypair in the UEFI storage.
2) Kernel keeps the private key in RAM during the normal processing.
3) Use this private key to sign the hibernation image and then discard it (of course, taking care not to write it into the image).
4) During boot you first load the known-good-kernel (checked by the shim) which can then retrieve the public key from the shim and check the signature.
5) If signature matches, it then can load the image.