I don't believe that PSK is as secure as certificate base auth. However, depending on the use-case, it might not be significant. The problem with PSK is that, if the key is compromised, you have to reset it for everyone. With certificate based mutual-authentication, you might not need to do that and even if you do, there are automated mechanisms that mean that the client might not even notice.
More importantly though as the question is about an external service, I doubt that the OP could get the authentication method changed.
Apologies for pinging you direct on this one Steve but I thought you might know or would be able to investigate Probably would be quite nice to have PSK as an option.
As @TotallyInformation guessed, I cannot insist that the authentication method is changed.
I agree with @krambriw and @TotallyInformation that certificate based authentication is safer. however, in this use case, there are a limited number of gateways communicating with a broker to co-ordinate a green energy trial. The disadvantages @TotallyInformation discussed would have a limited impact.
I would be grateful for any quick fixes - even if I need to write some custom js code. My backup plan is to call mosquitto_sub CLI, passing in payload and extracting payloads. That would obviously be a bit of a PITA.