figured out a solution so going to leave it here for anybody that looks for something similar in the future.
1) link each download key with a custom key value using persistent data storage (CustomKeys.dat)
2) in the application, check the server connection code is correct before any connections are made (increment it every time you push a new build).
3) should a tester become inactive, revoke the key manually by removing it from the list of allowed keys.
4) the user (who's key has been revoked) will not be able to connect online until they update. However, if they were able to update the files, their key will be revoked and they will not be able to access the multiplayer service.
5) They shouldn't be able to update to new files with their itch.io key revoked, but even if they could they wouldn't be able to use multiplayer.