Hi Simon,
It’s worth nothing that in our Kubernetes implementation, we do something similar to this. An init container logs in to Consul via an auth-method with its ServiceAccountToken. Consul then authorizes this against the Kubernetes API server. This returns an ACL token that allows the init container to register a specific service name (and also receive the certificate for that service).
I work on the Kubernetes side of things so unfortunately can’t answer your main question but thought it worth responding.