In my ROM, I only use the platform key for access checking. So I suggest you let the internal APP accept the calling process used the platform key.
In my experience, one app only can be signed by one key. If you need more security checking, you should add other strategy for this such as package-name checking.