i think you are making this way more complicated than it needs to be.
trying to create a solution for a problem that doesn't exist springs to mind.
i have a domain, and it simply auto-renews. i get an email shortly before advising that it will.
the auto renew uses the card it has on file.
previously the domain was with 123-reg, it's now at Google Domains.
with google domains i can turn auto-renew off, or turn it on for up to 9 years at a time (paying for them up-front).
this seems like the easiest solution. ie let the company you have the domain parked with handle the auto-renewal.
all these extra processes and manual solutions to deal with a fairly simply process is just a recipe for disaster.
interestingly enough, domain locking isn't available for my domain within google domains.