This is "half an answer" while I think about the other half :)
EDIT: other half added below.
The mathematical model that I find most useful for all discrete logarithm based cryptography is that of a vector space over a finite field. In many ways, the multiplicative-group implementation and the elliptic curve implementation are isomorphic, although it can be confusing because it's natural to write the former multiplicatively and the latter additively.
For example, the multiplicative-group setup usually has you pick two primes $p, q$ with $q$ dividing $(p-1)/2$, and the embedding function $x \mapsto g^x \mod p$ where $g$ is an element of multiplicative order $q$ modulo $p$ (e.g. $g^q \equiv 1$ modulo $p$).
In the elliptic curve setup, you have a base point $P$ of order $q$, there is no small-$p$ and the embedding function is $x \mapsto x \times P$.
The important mathematical structure here is that the target of the embedding function is a vector space (of dimension 1) over $\mathbb F_p$ and in this model, the embedding function is linear. That lets you work out a lot of things.
I know of several projects that have done various secret-sharing stuff in the multiplicative-group setting, a lot of them concerned with electronic voting, and all of this should port almost 1:1 to the elliptic curve setting. In fact I wish people would do this. You can indeed generate a (Shamir) secret-shared secret key among some authorities, everyone publishes their local public key and then one computes the global election public key as a linear combination (which is what Lagrange is doing) $Y = \sum_i c_i \times Y_i$ where the $Y_i$ are the local public keys.
In principle you could define a product $\otimes$ on the target space (e.g. the curve) via $(x \times P) \otimes (y \times P) := (xy \mod q) \times P$ since the embedding function is bijective. This makes the target space into a ring and should have most of the properties that you need to do things with polynomials there, answering SO's question (I think). The practical problem here is that actually computing this product is equivalent to solving CDH. This should not be a problem in two cases though: (1) in a security proof where you just want to reason about things, (2) in a secret-sharing scheme where the parties who want to compute this product hold the necessary preimages in the finite field.
EDIT
It should all still work fine. For example:
Over a finite field you can $(k, n)$ share a secret $s$ by setting $a_0 = s$, picking $a_1 ... a_{k-1}$ at random and creating the shares $s_i = \sum_{t=0}^{k-1} a_t i^t$. To recover from $k$ shares $(i, s_i)_{t=1}^k$ you compute $ \sum_{t=1}^k \lambda_t s_t$ where the $\lambda_t$ are the Lagrange coefficients.
If your secret $S$ is in the curve, and if you can pick random curve points $A_1 ... A_{k-1}$ then you can create shares by $S_i = \sum_{t=0}^{k-1} [i^t] A_t$ where $[t]A$ denotes scalar multiplication for a scalar t and curve point $A$.
The recovery formula is $S = \sum_{t=1}^k [\lambda_t] S_t$. The reason this works is that both the $i^t$ and the $\lambda_t$ are scalars so you're never multiplying curve points.
(You can create a random curve point by picking a random scalar $r$ and computing $[r]P$. Creating a random curve point where you don't know the dlog is harder, but unnecessary here.)
What's going on under the hood here is that, since every curve point has exactly one discrete logarithm, we can define $s$ such that $S = [s]P$ and $a_1 ... a_{k-1}$ such that $A_t = [a_t]P$ where $P$ is the base point. Using linearity, the way we create the shares is thus $S_i = \sum_{t=0}^{k-1} [i^t a_t] P$ so if we choose $s_i$ such that $S_i = [s_i]P$ then for recovery we get $\sum_{t=1}^k [\lambda_t s_t]P = [\sum_{t=1}^k \lambda_t s_t] P$. But the coefficient in the brackets here is exactly the recovery formula for secret sharing over a finite field, so we recover $[s]P = S$ as expected.
(This is incidentally also an example of how you can happily reason about taking discrete logs in security proofs.)
