Comment by maxbond
To expand, generally you wouldn't want to change the identity of the document by signing it (eg change it's hash). That's bananas. If the signature was external to the document, you wouldn't need any complex and error prone rules to canonicalize. You'd just generate an HMAC tag and send it alongside (or, better yet, use an authenticated encryption like AES-GCM).
The sane thing is to sign bytes, as you suggest. But OP is right that it needs to preclude adding signatures to a document.