Hi Veidel,
As this is a complex and critical stage of the design, I will suggest you to review the Azure Multi-tenant options and explore the different approach you can take. It is not one size fit all, so consider different multi options and combinations of pros and cons for the answers. design-multi-tenant-architecture
I will prefer option 3 as this is straight forward and matches your requirements, there is not restrictions AFAIK and you can easily invite guests and provide access to the apps as required. Check out the AAD Service Limit resttrictions so will clear the confusion - directory-service-limits-restrictions
Hope this helps.
JS
==
Please Accept the answer if the information helped you. This will help us and others in the community as well.