Root org account owns root domain hosted zone, can I route to sub-account CloudFront distribution?

I have a root organization account that "owns" all of my domains in a hosted zone, e.g. "amazingstuff.com"

I have "child" accounts where I actually have all of my infrastructure / application deployed using CDK, e.g. "dev", and "prod", that I deploy to using CDK. I use domain delegation to have, for example, control of prod.amazingstuff.com and dev.amazingstuff.com.

This works well but I would like to have a "special case", where my "prod" website uses amazingstuff.com.

From what I can tell this is not possible, because in order to allow CloudFront to handle amazingstuff.com, I need to add the other domains to "Alternate domain name" list in CloudFront. The issue with that is that I can't do that because when I try I get

The certificate that is attached to your distribution doesn't cover the alternate domain name (CNAME) that you're trying to add. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements

I get this error even though I've already added a certificate in my root account to this domain.

Note that the instructions I was originally trying to follow are these: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements - in my root account I've added two (because IPv6) records to alias to my CloudFront domain. So the amazingstuff.com domain "works", in that I go to CloudFront it seems, but CloudFront appears to reject or otherwise not like the request as I get a 403 error with

The request could not be satisfied.

Repeating myself, but this is presumably (?) because the domain is not listed in the "alternate domain names" in the CloudFront distribution configuration (?).

Is there any solution here, or do I have no choice but to make "prod" the owner of the root Hosted Zone so it can control the root domain?

Thank you!!