Hi!
I think identities are part of the public key only, so it should not make a difference for the device. The updated public key should be distributed to the key servers and/or recipients of the GPG emails. So for this case there is no need to update the NK Start.
About the keytocard error message, I suspect you have imported the private part of the encryption key only (this is the only key that is being backed up during the on-device key generation, which is a feature; GnuPG might be more verbose on that though), which would result in inability to modify the main key, hence the message about current secret being useless.
(Please correct me, if I am wrong.)
In case one would like to have a complete key backup to manage it further, it requires a on-PC generation of the key, and then moving it to the device with the key-to-card command. The local encrypted backup should be then moved to a safe storage. Whole process has to be done within a high-security environment (e.g. air-gapped PC, no hard drive, OS run from immutable source like DVD).