Can't use a secret for service call

I’m trying to move out the auth token for the service call from configuration.yaml to secrets.yaml file.
But once I’ve done this, the service does not work with this secret. It works only when I enter the actual token itself.

Take a look at examples:

My configuration is the following:
configuration.yaml:

# Query to enable/disable speedtest in Zabbix
rest_command:
  zabbix_speedtest:
    url: https://mydomain.com/api_jsonrpc.php
    method: POST
    headers:
      Content-Type: "application/json"
    payload: '{"jsonrpc": "2.0", "method": "item.update", "params": { "itemid": "36701", "status": "{{ disabled }}"}, "id": 2, "auth": "{{ token }}"}'
    verify_ssl: true

secrets.yaml:

# Zabbix
zabbix_token: ACTUAL_TOKEN_abcdefg012345678zzz

Maybe secrets are not allowed for calling services/templates?
If so, how do I secure tokens/credentials which are used for service calls?

upd. I found a sort of workaround - to put the entire payload in secret.
configuration.yaml:

# Query to enable/disable speedtest in Zabbix
rest_command:
  zabbix_speedtest:
    url: https://mydomain.com/api_jsonrpc.php
    method: POST
    headers:
      Content-Type: "application/json"
    payload: !secret zabbix_token
    verify_ssl: true

secrets.yaml:

# Zabbix
zabbix_token: '{"jsonrpc": "2.0", "method": "item.update", "params": { "itemid": "36701", "status": "{{ disabled }}"}, "id": 2, "auth": "ACTUAL_TOKEN_abcdefg012345678zzz"}'

But this is rather confusing, isn’t there any other way that is more straightforward?