In terms of my original question, I realized that the VCSA only requires one portgroup to work (i.e. associated with its own IP address), since the VCSA requires only one network interface. With that, I didn't have to add the other portgroups to the legacy Vcenter. In fact, I took them off, as I had added them, thinking I needed them. I removed them months ago, and the VCSA has been working fine since then.
As to your question, my understanding from VMware support is that VMware highly recommends you *not* to put the VCSA on VSAN, since you will have chicken and the egg problems when trying to troubleshoot VSAN if the VCSA itself is having problem accessing the VSAN datastore. I think the only real, feasible solution to your problem may be to put the VCSA on another cluster, controlled by another Vcenter.