A couple of days ago I was trying to add a custom domain using CNAME for an Azure static web app. When the custom domain was added it first went green and then red with a validation error:
An unknown error has occurred while adding your custom domain. Please try again later.
This did not leave me with much! After a day of trying with different sub domains, less sub domains and even more subdomains I finally figured it out. Turns out that on the DNS there was a CAA record. If you are like me you have no clue what this is, but it contains the issuers who are allowed to issue certificates for your domains (and it is inherited from the apex to your sub domain). For this example it only contained letsencrypt.org, but Microsoft uses digicert!
Here is an example of what to look for:
0 issue "digicert.com"
After adding digicert to the CAA record it went straight through. In order to serve your site on HTTPS you need a certificate, Azure auto generates this for you, but they need to be allowed to do so for your domain.
I hope this saves someone else out there a day of work!