SOPS reduces the surface area you need to cover. You can use Age as a backend and then you only need a long lived private key on the server. https://github.com/getsops/sops

If it's a single application exposed to the internet that is using those tokens then an env file is perfectly fine. If the application gets breached the secrets will be in memory anyway (as the app needs them to do its work), so they will get exposed no matter how they were sourced.

If your vendors support IP-based restrictions (few do, thanks to "zero trust" and other bullshit), a very strong defense would be to enable that and restrict use of those secrets to your server's IP, so that the tokens become useless to anyone else even if leaked.

I’d use the native secrets of your VM platform or something like 1password with an functional API.