tl;dr:
It works if you trick the kindle wifi settings daemon to think eduroam is a 'known' network. You'll need a wifi AP/router where you can change the network SSID to 'eduroam' temporarily (I recommend doing it outside of the actual eduroam coverage, e.g. at home) and connect Kindle to it via the GUI. I used a WPA2/PSK configuration (not sure it matters). Then the instructions from e.g.
http://frakira.fi.muni.cz/~antos/201...e-and-eduroam/ work again (and you don't need to set fast_reauth=0 or anything), but it might still be improved, because the current result is that wpa_supplicant has configuration for two networks of the same SSID and I am not sure it can cause reconnection problems. In my school connection usually fails after about a minute, and I have to turn wifi off/on from the menu. But it wasn't stable even on previous firmware, the signal here is really weak due to paranoid admins... It's good enough to sync downloaded items, which is ok for me now, and I will see tomorrow if changing the script to remove duplicated entries helps. I can however confirm that the eduroam network added by the script is no longer removed from the network list, so the trick works!
The details: thanks to the extensive trial-and-error by otichy and our icq sessions

I got rough idea how the whole network thing most probably works. There is a wifi daemon called wifid that listens to wpa_supplicant's control socket (it has the /tmp/wpa_ctrl_<PID> file opened) which a) populates the network list from the content of the encrypted wifid.conf file mentioned above, and b) when it hears that the supplicant sucessfully associates with a network, it starts dhcp, sets routing, nameservers and probably other stuff.
Now I guess (from the behavior) the problem in 3.1 is that the daemon also started to check if the associated network is one of the 'known' networks (in wifid.conf), and if not, it reconnects and resets the supplicant's settings. If your restart the wpa_supplicant service, it will get a new control socket and the wifid daemon can no longer check and reset, but it also won't start the dhcp and other stuff...
So my idea was to trick the wifid daemon to think eduroam is known network, by connecting the Kindle via the UI to a WPA2 personal network of the same SSID (set up temporarily on my home wifi router), which stores it in wifi.conf, and then use the wpa_cli script to change its settings to the eduroam enterprise networks. If the check is done only against the SSID and nothing more, it should work.
As it turns out, it seems that it indeed does work... (until the checks are restricted again in the next firmware...)