(I know this post is a month old, but I just came across it.)
We deal with this by not dealing with it, so to speak. We keep the on-prem AD account disabled and just move it to a synced OU called “Terminated”, then strip all group memberships/permissions from it. Once we’ve held onto the shared mailbox for the required length of time, we then delete both the on-prem AD account and the shared mailbox.