> If Wireguard let you configure a list of allowed keys for a peer (instead of a single key) that would be a logical solution without much extra complexity at all I imagine.

As a handshake initiator, you wouldn't know which key to use.
Similarly, when receiving a handshake initiation, you wouldn't
know which key to use to authenticate the handshake. You'd
have to fall back to trial decryption/encryption, which I
think is a non-starter.

The one-to-one correspondence of IP ranges to keys is
baked into the protocol pretty deeply. I'd say this is one
of those simplifying assumptions that Wireguard makes over
IPsec and friends that makes it easier to configure and
administrate.

-Phil