Electronic digital signature

How to organize the signing of documents on the ETP?

Good afternoon, colleagues.
The time has come for our modest organization to start its own platform for work on 222-FZ.
We were faced with the following question - how to work with EDS correctly (and according to the laws of our country, if they regulate such things, and according to banal security)?
The initial option is to sign every important user action using an EDS (IE + CAPICOM + cryptcp). However, in this case, we simply see that the user such and such has uploaded a file such and such a document (for example, a bid).
In theory, if a resource was attacked, this file could easily be replaced with any other (for example, with a bid price 2 times less), and according to the rules of grief, the winner would have to pay.
I see two ways out of this:
A) Force clients to sign all doc files (and work accordingly only with them) in their Microsoft Office and only after that upload and accept them for work.
B) Somehow sign the file when uploading or with a special button on the site after uploading, as, for example, is done with some actions on zakupki.gov.ru ( zakupki.gov.ru/wps/portal/faq/utilities/PGZ. User_G... clause 4.4.4.)
My research has led to the fact that I can probably make the file, for example, signed with the user's certificate hash of the file, but whether this is the right solution or not, I'm not sure.
In theory, the combination of the signed hash of the file should be unique for the combination "EDS owner" + "specific file".
I would like to hear advice, experience in implementing such functions, or where you can read about the technical side of such problems.
Thanks in advance.