Circling back this, thanks everyone for the input! I think tap-sharepoint is the way to go for us.
@Henning Holgersen I'm trying to set this up for a client. For authentication, am I understanding correctly that they have to create a
user assigned managed identity in Azure and then grab the client_id from that identity to input into the tap config?