This doesn't sound like the correct approach.
Authentication and account are two separate things, but are often linked together.
I suspect the Wordpress SSO will authenticate against the account and group.
I doubt you can have the accounts split across domains.
Shouldn't this be setup using B2B (guest accounts) or B2C within the same tenant?
In true multi-tenant scenarios, the tenants are separate so I don't think you can nest groups from one to another. I don't think its possible. I can't find any documents or scenarios that its covered.
The other option is to copy the users and relevant groups from the external tenant to the main tenant via Azure AD Connect but this means that they are being authenticated from the main tenant. So this would seem superfluous. You could copy from the main tenant to the external tenant, but this would still mean 1 million user records being copied across which defeats the purpose of the workaround you are trying to implement.