Since you already have the initial OAuth interaction running in an external service, you could potentially call back to that service for a current token, using an HTTP Request node, prior to making the authorized API request with a normal HTTP Authorization header.
You might also be able to implement the OAuth2 token refresh logic using a series of HTTP Request nodes in a workflow.
The limitation would be that nodes with custom credential-types would need to also support ordinary request headers. It seems like not many of them do support that, so you’d probably end up re-implementing those in HTTP Request nodes.
As you mentioned, you’re not really inviting users to be “tenants” in, and share your instance of n8n, so maybe that means you wouldn’t need an Embed License, but it might be worthwhile to discuss that with them to be sure.
There is a Feature Request for choosing credentials based on expressions, but I’m not sure if there is anything in that which would address what you’re describing, which sounds like maybe a “generic” OAuth2 node that would dynamically stand in for a credentials item.