This has come up more than once in the past.
There are certain values you can pull from the OVF environment variables, but I don't recall a nice dynamic way for you to inject those values into the VMs without some automation on top. It sounds like you've gottent this far.
It's not like you can provision from the vCloud Director portal, and then make some sort of call from inside an isolated tenant network through the host. That just sounds like some exposure that people may not want to introduce.
Even excluding vCD ... I can't think of a way for VMware Tools tools to pull things like the VM's Managed Object Reference (MoRef / MOID) from vCenter/ESXi. The OVF/OVA information is strictly limited to configuration info (thin Hostname of the VM, or IPs for NICs).
I think the problem comes down to an appropriate level of isolation between the provider and consumer of the resources. More of an opening a door aspect, and hopefully no bad info is plugged in there that shouldn't be exposed.
I'm also posting to just be aware if this changes or someone posts a nicer solution ... so I know it exists.