It's probably most helpful to think in terms of the Kerberos protocol...
When the browser requests the Kerberos-protected resource, it will be redirected to the Kerberos Credential Collector URL, creds.kcc. The first request for this resource will receive a response of HTTP 401 and the header "WWW-Authenticate: Negotiate". At this point, if the browser is configured to perform integrated authentication for the remote domain, it will try and obtain a Kerberos ticket.
Now, the browser will request a ticket for that remote resource from a KDC. As long as it can acquire a Kerberos service ticket, then it will make another request with the ticket in an HTTP Authorization header. This should all work without a problem in a multi-domain/multi-realm environment like you have proposed.
Now, when the web agent or the policy server needs to decrypt a Kerberos request, they must use the same key as used to encrypt the request. Therefore, you only need one account for the web agent and one for the policy server - each configured with the correct service principal name (SPN). You definitely to not want multiple accounts across the domains with the same SPN or else a key from one KDC for the SPN may be used in a request, but a different account and key are used by the service receiving the request.
My point is that as long as Kerberos clients (the browser, the web agent, and the policy server) can authenticate (obtain their initial Kerberos ticket-granting-ticket, krbtgt) and obtain service tickets, everything should work just fine.
Finally, just a reminder that the .local top level domain is reserved by IETF (for multicast DNS) and is not suitable for use as a private top-level domain. I was not sure if it is just an example or if you were planning on using that on internal systems. See https://en.wikipedia.org/wiki/.local for more information. Typically, for examples in explanations, example.com is used for this purpose and explicitly reserved by RFC 6761 https://tools.ietf.org/html/rfc6761.