What you want to do cannot be done in a shortcode.
wp_signon needs to set some HTTP headers for the cookie, but it’s too late.
When your browser recieves a webpage, it recieves some headers that tell it what it’s recieving and stuff like wether it succeeded or not, is it a 404, what cookies there are etc. Then it has a body which contains the webpage itself, e.g. a JSON string, or a bunch of HTML.
So once the headers are sent, and the body starts, no more headers can be sent.
This isn’t a WordPress specific thing, but a universal HTTP/HTML thing. E.g. if you run a python app and send a header to the browser telling it HTTP 200, and the body section has started, that python app can’t just add an extra header for a cookie at the end. The server has to respond with a valid HTTP request that follows an expected format for the browser to process, then JS might do some work on the browser side and make extra requests, there’s no mutual back and forth that would allow this.
So if you use a shortcode, output has already started, you got your header, and the page title, and the body tag etc etc. That’s body output, it needs to send headers to do that, so the very first time any output of any kind, even a blank space is echo’d out, PHP sends the HTTP headers indicating that HTML is on its way.
So if you want to call wp_signon, it has to happen before any output occurs. A shortcode is too late for this.
Shortcodes are meant to allow you to embed things that need PHP to run, they were never intended for this kind of functionality. Sure embed a login form, but the handling can’t be done in the shortcode itself, you will need to hook into an earlier hook like init, look at the GET/POST details to see if the user submitted the form, then do all the handling needed to call wp_signon at that point.