Ephemeral tokens are a valid approach and some systems use exactly that.

The difference with Shamir is what happens if the proxy itself is compromised. With token exchange the proxy holds or can reconstruct the real key server side. A compromised proxy is game over for the credential.