Actually, reading the application settings docs more carefully:
Do not use wildcard placeholders or localhost URLs in your application callbacks or allowed origins fields
This reads to me like it’s referring to “Allowed Origins (CORS)” and that a wildcard might be okay in the “Allowed Web Origins” field. Would appreciate if I can get confirmation on this from someone at Auth0
EDIT: Nvm, looks like this is explicitly discouraged still How come "Allowed Web Origins" does not allow wildcards? - #125 by randynasson
Seems like Auth0 is 90% of the way there towards enabling this multitenant subdomain approach…in the short term looks like my best bet is updating the Allowed Web Origins field explicitly for each tenant