I saw a configuration option that allows tagging every build, but it seems this would just needlessly pollute the tag history. Is there a way in Jenkins to tag a build only once it has been marked as passed?
Absolutely, using the Flexible Publish plugin.
This plugin will allow you to wrap post-build actions in a Run condition.
All this really boils down to is, installing & using that plugin, you can wrap your git publish in a Run condition using the Current build status as it's condition, setting it to only run when the entire build has passed (success).