Using the function app's managed identity (instead of a creating secret) is now available in preview, as documented in a section added recently to the article I mentioned in my question.

It works by adding the managed identity as a federated identity credential in the app registration. I implemented it in my azd template and it works like a charm (despite it is advertised as a preview at the date of this posting).