FFrom what you describe the use case should be possible with ZITADEL. You can add the app in the "Vendor" organization and then grant it to all "customer" organizations. When you add the organization id scope on the auth request, e.g. on demo1.localhost:3000 you send the id for organization demo 1, you will automatically trigger the branding, settings, et.c from that org. also no other users despite the ones from that org will be able to login.
Fyou would need to add multiple redirect urls for the app