Does the key share have a witness to prove it is a part of the subnet key? If so this could be handled at the replica level where the calling node signs and provides a witness that they are currently part of the signing group and have rights to call the api. Maybe this exposes the api to attack?
Update calls don’t have access to signatures, but is there any reason the replic can’t have access after the call is complete? Outcalls are sync anyway. If the requesting contract injects the witness into the header, the replica could inject the root header before sending the outcall?