You did not miss something - you can define an only 1 simple_preauth authenticator per a firewall.
But you have the fallback option for the authenticator: if the authenticator implements AuthenticationFailureInterface then on AuthenticationException will be called its onAuthenticationFailure method.
http://symfony.com/doc/current/cookbook/security/api_key_authentication.html#handling-authentication-failure
https://github.com/symfony/symfony/blob/2.7/src/Symfony/Component/Security/Http/Firewall/SimplePreAuthenticationListener.php#L94
Also you are free to try several authentication ways into authenticator::createToken(). Just don't forget to differentiate them into authenticator::authenticateToken() and authenticateToken::refreshToken() (if stateless: false).
You are able to extend simple_preauth behavior with Custom Authentication Provider but this is most complicated way. It can be several Custom Authentication Providers with overrided SimplePreAuthenticationFactory key and services suffices. Or it can be truly multiple simple_preauth implements Chain pattern for its Listener and Provider. e.g.
class MultipleSimplePreAuthenticationListener implements ListenerInterface
{
...
public function handle(GetResponseEvent $event)
{
foreach ($this->listeners as $listener) {
$listener->handle($event)
}
...
