There is no variable expansion for environment variables, alas. This is a frustrating limitation, but there are ways around it, of course.
1) Create another unit which generates another environment file, which itself processes `/run/metadata/coreos`, generating a line specifying LOCKSMITHD_ETCD_CERTFILE=whatever. Then make that unit a prerequisite for your locksmith unit.
2) Create a wrapper, either inline in your locksmith unit's Exec or as a separate executable, which processes and sets the environment variables as needed for the execution of locksmith.
Locksmithd, like most CoreOS tooling, accepts command line parameters (-etcd-certfile, in this case) as well as environment variables, but that doesn't actually get you any closer; you would still have to apply (2) to change the parameters.