You can create a Managed Identity in the Customer' tenant.

1. Create user-assigned managed identity in the customer's tenant (Inside the MRG)
2. For managed identity grant Key Vault Administrator or Key Vault Secrets Officer.
3. Grant managed the identity RBAC role for the key vault for the data plane level. (Eg- Key Vault Secret User) - Check whether manage identity is enabled for KV.
4. Implement Azure Function or Automation Runbook that uses the managed identity to update the secrets.
5. From your publisher tenant, trigger your Function app or Automation by Azure Logic App.