Actually, Jesse’s answer in this thread might be helpful:
Essentially, you need an app token to retrieve the secret, but the app token can’t also be a secret. I think that might be what Jesse was talking about in his initial reply to you.
So your schedule would invoke the script which would retrieve the app token from an environment variable or a plain text PSU variable, then that token would be used with Get-PSUVariable to retrieve your credential object. Something like:
$cred = Get-PSUVariable -Name MyCred -AppToken $env:PSUMySchedAppToken
I would try it with an app token with the admin role to confirm it works. If it does, you can try to create a more restrictive custom role in roles.ps1. I think it would need a permission like platform.variables.MyCred/read.