Hey. So, I got a solution, but frankly, I had to kinda figure it out myself. I mean, they guided me to some documents which I had read before, but I had to put a workflow together and test it, then retest it and finally push it out. I've left it in place, actually, to ensure keys stay current and we don't get into this situation again. But this is totally fixable, actually easy but there is some pain in the process.
I suggest you go here and get familiar with this GitHub repo: https://github.com/homebysix/jss-filevault-reissue
There, they have a script which I've used in two orgs (changed jobs....same prob's in both) and it works. The "reissue_filevault_recovery_key.sh" is the one to look at. You basically set it up in a policy, and then it will prompt the end user for their login password, and they get a new key. Boom...done. But, that's not the pain in this process. The pain comes from having to do the leg work to let end users know that they will be prompted for their password, why it's needed AND that it's legit.
In the script, you can make it look pretty official, use company logo's, it works pretty well. You'll need a smart group to target. I can't upload the screenshot of mine, but if you're on Slack, hit me up and I can share it with you.
Let me know if I can help further. Glad to assist. (don't sweat it..you got this!)