I did not understand the idea of your project, but creating a CEX type exchange will be completely different from your idea, as you will create the exchange and have an independent data management system with a separate server for all withdrawals. Transactions will be sent in the form of Comma-separated values (CSV), which contains the address, value, and then Bitcoin Core can handle it.
1. When sending transactions, I included a set passphrase in my codes. In terms of multisig principles, I can't unlock that account with a passphrase; but, I need to sign data using distinct private keys. Am I correct?
In this case, multisig principles will not help, but rather BIP39 Passphrases, where the private key is one and each account has a unique password through which it can generate addresses.
https://medium.com/@alephium/bip39-passphrase-implementation-f87adecd6f59