Best practice for integrating software into an existing company vault

This is largely a best practice question.

Let’s say that a company already has a vault installation.
Let’s say that I want to provide that company with a new piece of software. The software would like to store data securely, and it would like to use vault. Rather than provisioning a dedicated vault, I would like to use the companies existing vault.

My software allows users to store secret data for their own use as part of its functionality.
My software uses OpenID Connect for authentication.

Is the following good practice for using vault?
Configure the company vault with an additional authentication method of jwt, and configure that auth method to point to my software’s OpenID Connect discovery endpoint. Hence a user that has logged in to my software can now present the resulting JWT to the company vault, and it will be taken as valid authentication.
Mount a new dedicated KV secrets engine at, say, “/secrets/my-software”.
Configure a vault policy and associate it with the auth method so that a user that authenticates with that auth method has full control on a path such as “/secrets/my-software/users/{{}}”. Deny all other users access to anything in “/secrets/my-software” (not actually sure how you would do that, that would need to be part of a more central policy?)

There’s now a dedicated area in the shared company vault that users of my software can access without further authentication, and which no one else can access. A user of my software can only access their own personal area of that.

The question is a) is there any reason why that should not work, but more importantly b) is that best practice? Is that going to be something that a company vault administrator is likely to permit?