Do you actually have that or are you suggesting it a solution? Unless something changed you can't get certs for subdomains unless they they are the public suffix list and getting on that list is non-trivial.
Then I use Caddy server as a reverse proxy on the internal network, which is configured to do DNS challenges to get certificates. Here's the plugin for AWS Route53 for example: https://github.com/caddy-dns/route53 - The challenge just verifies that I have control over the domain through DNS and provides a certificate to me no problem.
It's been working perfectly for few years for us on our internal networks. Was the OP asking for something different? I'm not entirely sure what the 'public suffix list' is for subdomains, but I definitely have a valid certificate right now for *.a.domain.tld, served internally and provided by LetsEncrypt.
The public suffix list is (or was) used to tell if foo.domain.com is considered different user than bar.domain.com
If domain.com is on the list then foo.domain.com is different than bar.domain.com. If not then it's considered a single user and the rate limits apply.
Those rate limits are fine for almost all internal IT uses. The 50 certificates per week limit does not count renewals, that's 50 new hostnames added every week. Maybe larger shops need to roll out certificates a bit slower in order to not exceed that limit but it's still a pretty generous limit.
The public suffix list only affects limits with letsencrypt. The limit is still quite high IIRC, you just need to have proper backoff an smoothing between devices.
