If it's a single application exposed to the internet that is using those tokens then an env file is perfectly fine. If the application gets breached the secrets will be in memory anyway (as the app needs them to do its work), so they will get exposed no matter how they were sourced.

If your vendors support IP-based restrictions (few do, thanks to "zero trust" and other bullshit), a very strong defense would be to enable that and restrict use of those secrets to your server's IP, so that the tokens become useless to anyone else even if leaked.