Restrict/scope API tokens to a subdomain

API Tokens are good, but it would be much better if they could be scoped to a specific subdomain.

I believe this is the same request as Having different api key per domain, from nearly a year ago - any progress since then?

My specific use case here is an ACME DNS-01 client that I want to scope to the specific subdomain that the client is on, such that if that token were to be compromised the rest of my domain is safe.