You can create a file called custom_logout.php and place it in the root wordpress directory. This contains
<?php
require_once("wp-load.php"); //load wordpress
wp_logout(); //logout
exit(); //end page
?>
Then in your subdomain site open the url with an anchor tag
<a href="http://youwebsite.com/custom_logout.php">Logout</a>
You can’t create a whitelist easily because it would involve checking where the user is coming from using $_SERVER[‘HTTP_REFERER’] which is unreliable(usually null). There is no simple solution for this unfortunately.
Reply To Your Edit
You are completely free to implement the temporary key approach if that is a responsible compromise. However, instead of two random keys you can send a md5 hash of the current day. Use an identical secret salt on both servers. Now you can simply recompute yesterday’s hash and the current day’s in custom_logout.php and compare it to the get variable that is incoming. It eliminates the need for a txt/ini file.