So - this is inconvenient and doesn’t really work in real-life.
I don’t see why a simple wildcard has to have all these restrictions, as most naming conventions use some part of the domain as a top-level indicator e.g.
dev-*.domain.com
Given the fact that sub-sub-level domains have problems e.g. a.b.domain.com - the above seems to be the only way out. I cannot possibly sub-domain everything as *.domain.com in a single rule.
Please look into expanding/fixing this.