The auditor is wrong in two ways and I would recommend appealing this finding.
First, it is up to the organization to identify which "products, components, or activities" are critical (see 3.1.6, 5.4.3 d, and 5.6.1.1 a). The auditor is not allowed to write a nonconformance because they disagree with what the organization has identified as critical.
Furthermore, API Q1 9th Edition Addendum 2 removed all references to "critical suppliers" and now only refers to "suppliers of critical products, components, or activities". In the context of the current Q1 requirements, it is not the supplier that is critical (i.e. due to them being a sole-source); it is what the organization is buying from the supplier that is critical (i.e. due to it's high importance for conformity and/or safety of the product) as identified by the organization.