It would be much easier if Google identify accept wildcard in redirect URLs, allowing matching values mentioned in your example. Unfortunately, that’s not the case.
However, the first option you mentioned is still possible : you can create/add a custom event listener that listens for the event type “realm added” and dynamically register the newly created realm/tenant.
You can find a sample code in this Stack Overflow discussion: Keycloak event listener provider not firing new realm creation event.
Edit : The previous code is a direct change to Keycloak’s code, which is not recommended. Now it’s supported within Keycloak via this commit.