Authenticating a request from a valid application (unshadowed)

Authenticating a request from a valid application (unshadowed)

I am working on an application which has an architectural description as below,

1. There is a docker container, lets say Microservice-A, in which multiple processes are running. Each process is responsible for executing a workflow and is managed by the respective team. All of these processes run with the admin user.
2. The folder used by the processes is common and people working on of the workflow can see the details of the other process in a production/non-production environment.
3. As a part of workflow execution, My process makes a network call to one of the microservice, say microservice-B, which is also managed by us.

Problem statement:

1. As of today, the self-signed certs used to authenticate and communicate with microservice are in a common directory inside the main docker container, microservice-A.
2. Hence, it is a vulnerability issue, where other services can use the same certs to connect.
3. My workflow is written in python, hence, it is again possible to sniff (in case of an intruder) the logic and locate the certs directory and use them.

What are some possible ways (including docker constructs) which I can use to rightfully tell my second microservice-B that the call is made from the rightful process running inside the microservice-A. Is there a way I can add a thumbprint to the certs and send the same thumbprint along with the certs during authentication with Microservice-B (Note: I can modify the logic inside the Microservice-B to validate)?

Some points I came up with

1. Use a PAKE based algorithm to register MS-A with MS-B. Later, a combination of PAKE-key+Certs can be used for communication. But the problem is, if MS-A restarts the PAKE-Key will be lost if it is being created runtime. If Created or saved somewhere then it's the same problem again.
2. Use a Binary to generate the PAKE-key in runtime. Since logic inside the binary won't be visible, the PAKE-key can be generated on the basis of a static-string stored in the binary itself. But the problem is, I do not want anyone else to execute the binary other than the valid process inside MS-A. Is there any Linux or docker-based construct to uniquely identify the process (Note Pid can change over restart) such that only the valid process inside MS-A is able to execute that binary?