AWS Certificate Manager Pending Validation when DNS validation is successful

I'm attempting to renew a certificate created in AWS Certificate Manager (ACM), but I'm stuck in the dreadful PENDING_VALIDATION status; this is a DNS validated certificate where I validated using the CNAME record.

Under domains I can see the domain validation has a status of Success and Renewal Status of Success

If I run aws acm describe-certificate --certificate-arn "examplearn", I get a return showing DomainValidationOptions with the ValidationStatus being success for the CNAME validation.

Replaced with "example" for sensitive values

{
    "Certificate": {
        "CertificateArn": "arn:aws:acm:us-east-1:example:certificate/certid",
        "DomainName": "*.example.com",
        "SubjectAlternativeNames": [
            "*.example.com"
        ],
        "DomainValidationOptions": [
            {
                "DomainName": "*.example.com",
                "ValidationDomain": "*.example.com",
                "ValidationStatus": "SUCCESS",
                "ResourceRecord": {
                    "Name": "examplename",
                    "Type": "CNAME",
                    "Value": "examplevalue"
                },
                "ValidationMethod": "DNS"
            }
        ],
        "Serial": "",
        "Subject": "CN=*.example.com",
        "Issuer": "Amazon",
        "CreatedAt": "2019-01-17T12:53:01-08:00",
        "IssuedAt": "2021-10-22T21:21:50.177000-07:00",
        "Status": "ISSUED",
        "NotBefore": "2021-10-22T17:00:00-07:00",
        "NotAfter": "2022-11-23T15:59:59-08:00",
        "KeyAlgorithm": "RSA-2048",
        "SignatureAlgorithm": "SHA256WITHRSA",
        "InUseBy": [
            "example",
            "example",
            "example",
            "example"
        ],
        "Type": "AMAZON_ISSUED",
        "RenewalSummary": {
            "RenewalStatus": "PENDING_VALIDATION",
            "DomainValidationOptions": [
                {
                    "DomainName": "*.example.com",
                    "ValidationDomain": "*.example.com",
                    "ValidationStatus": "SUCCESS",
                    "ResourceRecord": {
                        "Name": "examplename",
                        "Type": "CNAME",
                        "Value": "examplevalue"
                    },
                    "ValidationMethod": "DNS"
                }
            ],
            "UpdatedAt": "2022-09-21T23:39:15.161000-07:00"
        },
        "KeyUsages": [
            {
                "Name": "DIGITAL_SIGNATURE"
            },
            {
                "Name": "KEY_ENCIPHERMENT"
            }
        ],
        "ExtendedKeyUsages": [
            {
                "Name": "TLS_WEB_SERVER_AUTHENTICATION",
                "OID": "1.3.6.1.5.5.7.3.1"
            },
            {
                "Name": "TLS_WEB_CLIENT_AUTHENTICATION",
                "OID": "1.3.6.1.5.5.7.3.2"
            }
        ],
        "RenewalEligibility": "ELIGIBLE",
        "Options": {
            "CertificateTransparencyLoggingPreference": "ENABLED"
        }
    }
}

Followed instructions successfully in https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-pending-validation/ (checking cname response exactly matches what is in acm CNAME values when copy pasting)

The site domain registration is in Route 53 with NS pointing to cloudflare, where DNS is managed.

Is there something obvious that pops out to you? Thank you!