If your application connects to an Azure IoT Hub or IoT Central, you could use either a device twin property or a direct method to pass the secret to your application.
The advantage of using a direct method is that you could make passing the secret a one time event. On the device, you could store the secret into persistent/flash memory so that the application will always have access to the secret.
If you ever "recover" (azsphere device recover) your device the persistent memory will be overwritten, so keep that in mind. In that case you would need to call the direct method again to put your secret back into persistent memory.
- Blog on using direct methods on Azure Sphere here
- Example application showing how to use persistent memory on Azure Sphere MutableStorage Example
The advantage of using a device twin property, is that you would not have to store the secret into flash memory, however your secret would be exposed in the device twin.
Another option as you're already looking at is to modify your command line arguments in the app_manifest.json file before building/packaging your application. Then in the application modify the code to parse out the new option and use it.
- Example that shows how to pass/parse command line options (AzureIoT Example)