In case others got confused by this thread (I thought for a minute "how do you know which private key goes with which peer", is PostUp per peer, etc)... There is only one private key per interface on the server (or anywhere for that matter) and all the other peers are public keys.
Right, my use of the plural was confusing. It's just that in general when you add a client you end up editing both the client and the server config, so both keys end up being disclosed on the screen.
I have it grabbing a key from AWS Secret Manager, haven't had a problem with that.