This was actually due to a problem with re-keying the secrets file when I switched over from bootstrapping with a user’s age key to bootstrapping with a pre-generated ssh-ed25519 host key.
I assumed that adding the age public key derived from the pre-generated ssh-ed25519 host key to .sops.yaml and then editing the secret with sops -e path/to/secrets.yaml would encode the secret for the new public key, but it turns out that you need sops updatekeys path/to/secrets.yaml to re-key.
Once that was fixed, using sops.age.sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ]; worked just fine.
The perspective shift still applies, though, so I’ll continue to evaluate my alternate approach that uses a bootstrapped snapshot of root rather than symlinking from a separate subvolume.