GrapheneOSA growing number of apps are using the Play Integrity API to enforce installation from the Play Store. This is clearly highly illegal anti-competitive behavior. It doesn't impact GrapheneOS users installing apps with the sandboxed Play Store but does impact other install sources.
This is being done alongside Google recommending app developers forbid installing their apps from the Play Store on operating systems not licensing Google Mobile Services. The combination of these feature ends up blocking users from easily using the apps without modifying them.
We're going to add a secure way of working around this without breaking the app source security model. We'll be adding support for having the OS automatically verify the Play Store signing metadata and then inform Play services those apps were installed from the Play Store.
It's worth noting Android has a standard hardware attestation API for verifying the hardware, firmware, OS and app. This supports alternate roots of trust and non-stock operating systems if apps choose to support it. Apps could perform stronger checks while allowing GrapheneOS.
Android's hardware attestation API has anti-competition issues due to the official verification libraries hard-wiring the Google roots and encouraging only permitting the stock OS. However, it does fully support any other OS with verified boot and can be used with other root CAs.
Google's Play Integrity API is quite different and only supports verifying devices licensing Google Mobile Devices with the stock OS. It has support for enforcing installing apps from the Play Store. None of this has anything to do with security. It's purely anti-competitive.
Raven (she/her) 
@GrapheneOS is this related to the error in the play store on apps like turo which say: "this app won't work for your device"?
@sparklepanic Yes, that's caused by the app marking their Play Store listing as requiring the Play Integrity API with the device or strong integrity level. The app may not actually require it and may work without it if installed from elsewhere. However, the app may check install location and enforce installing it from the Play Store.
If they properly implement the Play Integrity API, their services will check that the app passes it to use the services. Many apps are missing doing this though.
@sparklepanic If they enforce checking it for their services as was always intended from the beginning, there's no workaround. GrapheneOS shows a notification when an app uses the Play Integrity API so it's very obvious when it's the reason an app is blocking using it. Note the app triggers using it locally but their server fetches the result from Google's server itself and verifies the result there. However, some apps only enforce it via the Play Store toggles which don't do that.