@erikvanbeek Great question! Asymmetric encryption does indeed offer authentication "by default" but I'd say it's debatable if it is really "easier".

First, you need some kind of key management system, either a private key infrastrucutre (PKI), a Trust on First Use (TOFU) model (like SSH), etc. This adds complexity in places where you might not want any additional complexity.

Secondly, most applications of asymmetric encryption are used to exchange a symmetric key, and all further communication is then performed using the symmetric key exchanged over the asymmetric encryption. The main benefit of symmetric encryption is really performance. All modern CPUs have built-in instructions for AES (such as the AESENC instruction), which makes AES insanely fast on these CPUs.

So, the asymmetric encryption is used to establish "Yes, the entity sending this symmetric key is who they claim", and then authenticated symmetric encryption is used to ensure that any traffic after the initial key agreement is not tampered with.

Edit: I'm sorry, I think I saw "asymmetric encryption" and kinda missed what you were actually asking. While the above stands, let me try to specifically answer your question:

If I understand you correctly, you're proposing to send a "signature" of the AES key with each ciphertext, to prove ownership of the key?

This, unfortunately, doesn't work. The signature of the AES key will still be valid, even if the ciphertext has been tampered with, thus allowing an attacker control over the ciphertext (and thus, the plaintext). You'd need to sign the entire ciphertext, at which point we arrive at AES-GCM.