However we do this, it would be good if callers had to go to minimum effort to atomically refresh creds for a client principal.

One approach is a gic option to atomically store creds obtained by krb5_get_init_creds_*(), to be used instead of krb5_get_init_creds_opt_set_out_ccache().  This option could perhaps accept an optional string argument to name the collection or ccache to refresh, and use the default cache or collection otherwise.