Restrict tunnel access to subdomains

When using cloudflared tunnel login a wildcard certificate is generated for all subdomains, *.example.com.

To me this is never a wanted outcome since I don’t want any compromised machine to be able to choose any other domain than what I assign to it.

So far I have manually revoked that cert and created a new one in the origin cert section in the dashboard.
Then I replaced private key and cert in cert.pem.
The only part left is the argo token.

The goal is to make sure machine only has access to create a tunnel using the specific subdomain and nothing else in case that machine is compromized.

  1. Is it possible to directly specify a specific subdomain so the local installation only have access to create a tunnel for that domain?

  2. Are there there other security considerations I need to consider?