Cipher suite changes are applying only to base domain on wildcard cert, but I want them to apply to all domains

Cloudflare is set up through our hosting vendor (Acquia). I don’t know the exact details of the plan. I do know that it’s some kind of enterprise plan, that we manage the hostnames and SSL certificates via the SSL/TLS > Custom Hostnames menu, have access to the PATCH hostname method, and don’t have access to the PATCH Ciphers method (but that may be because it’s limited to the vendor, and not necessarily a feature of the plan).

I have a certificate configured like this in the UI:

(sorry about the redactions, I’m not supposed to share client information).

I need to limit the allowed cipher suites based on the client’s requirements. I’ve done this using the PATCH hostname method in the API:

{
	"ssl": {
        "method": "txt",
        "type": "dv",
		"settings": {
            "http2": "on",
            "http3": "on",
            "min_tls_version": "1.2",
            "tls_1_3": "on",
			"ciphers": [
                "ECDHE-ECDSA-AES128-GCM-SHA256",
                "ECDHE-ECDSA-CHACHA20-POLY1305",
                "ECDHE-RSA-CHACHA20-POLY1305",
                "ECDHE-ECDSA-AES256-GCM-SHA384"
            ],
            "early_hints": "on"
		},
        "wildcard": true
	}
}

that worked, and I can see the ciphers if I query that hostname using the GET custom hostname method:

{
    "result": {
        "id": "<omitted>",
        "hostname": "example.com",
        "ssl": {
            "id": "<omitted>",
            "type": "dv",
            "method": "txt",
            "status": "active",
            "hosts": [
                "example.com",
                "*.example.com"
            ],
            "settings": {
                "http2": "on",
                "tls_1_3": "on",
                "min_tls_version": "1.2",
                "ciphers": [
                    "ECDHE-ECDSA-AES128-GCM-SHA256",
                    "ECDHE-ECDSA-AES256-GCM-SHA384",
                    "ECDHE-ECDSA-CHACHA20-POLY1305",
                    "ECDHE-RSA-CHACHA20-POLY1305"
                ],
                "early_hints": "on"
            },
            "bundle_method": "ubiquitous",
            "certificates": [
                {
                    "issuer": "CloudflareInc",
                    "serial_number": "<omitted>",
                    "signature": "ECDSAWithSHA256",
                    "expires_on": "<omitted>",
                    "issued_on": "<omitted>",
                    "fingerprint_sha256": "<omitted>",
                    "id": "<omitted>"
                },
                {
                    "issuer": "CloudflareInc",
                    "serial_number": "<omitted>",
                    "signature": "SHA256WithRSA",
                    "expires_on": "<omitted>",
                    "issued_on": "<omitted>",
                    "fingerprint_sha256": "<omitted>",
                    "id": "<omitted>"
                }
            ],
            "wildcard": true,
            "certificate_authority": "digicert"
        },
        "status": "active",
        "created_at": "<omitted>"
    },
    "success": true,
    "errors": [],
    "messages": []
}

I can also see that only strong cipher suites are enabled if I scan the bare domain (which is the primary domain set in the Cloudflare custom hostname) with the tool at SSL Server Test (Powered by Qualys SSL Labs)

however, if I scan the www subdomain it still has the default cipher suites, including some weak cipher suites:

According to ssllabs the certificates on the two domains have different serial numbers and fingerprints, but they do have the same subject and alternate names. Not sure if that matters.

Is there something extra I need to do to make the subdomains respect the cipher settings?