I don't think it matters either way.
If you didn't have the certificate on all those machines, then it'd be quicker to get things going by doing "Select from file" and checking the .pfx into source control.
We limit the access to our password for our .pfx so it's a different story. We also need to change our manifest files post build. So we don't enable code signing at build and instead have a post-build process that signs things using the .pfx on a share. The build automation hides the password from its logs so no developer actually knows the password.
All three ways (from file, from store, post-build) end up getting you signed manifests. Each way has its pros and cons depending on company policy.