All of those solutions wait for apt itself. If you want to synchronise the tasks themselves, you can wait for the initial provisioning to finish using:
systemd-run --property="After=apt-daily.service apt-daily-upgrade.service" --wait /bin/true
Oh that’s neat! Didn’t know you could do that.
In the specific case I was running into (didn’t include it in the post in the end as it ended up feeling like a weird tangent) I don’t think it would have worked. It turns out one of the AWS-provided packages we’re using runs apt-get commands at startup if it detects you don’t have certain things installed, which I was not thrilled to find out, but sometimes you get what you’re given 😅
In that case you can likely add a “cloud-init.target” (or the service itself) to the “After” list.
Okay I have some more reading to do. Thank you for the pointers!