I’m forgetting the details and names of the API calls, but essentially, you can override the default SSH authentication check which normally looks in the authorized_key file to instead query a remote resource to get back the fingerprint for that key pair. You can then use this in that custom script to authenticate the connection. You also need a second piece, one that uses SSH ForcedCommands, to essentially pipe the original git request into the newly authenticated session and execute.
If I remember the name of the method to override I’ll update. It was hard to find. It has everything to do with SSH and nothing to do with Git.
Edit: Found it - it's the AuthorizedKeysCommand [1] and you can use that in lieu of an AuthorizedKeysFile (which is authorized_keys by default) to run a script that can query a remote resource for the pubkey.
If I remember the name of the method to override I’ll update. It was hard to find. It has everything to do with SSH and nothing to do with Git.
Edit: Found it - it's the AuthorizedKeysCommand [1] and you can use that in lieu of an AuthorizedKeysFile (which is authorized_keys by default) to run a script that can query a remote resource for the pubkey.
[1] https://man.openbsd.org/sshd_config#AuthorizedKeysCommand