Wildcard: yes. Any subdomain? No. That would require another _acme-challenge CNAME label in front of that specific subdomain.
While technically the CA/Browser Forum Baseline Requirements do allow issuance of subdomains once a certain domain has been validated (might be limited to certain types of challenges tho), Let's Encrypt does not allow this.
E.g.:
With Let's Encrypt, the challenge (or in your case, a CNAME) for _acme-challenge.example.com would allow issuance of certs with hostnames example,com and *.example.com, but not foo.example.com. This latter hostname would require a challange or CNAME for _acme-challenge.foo.example.com.
You could limit issuance for non-wildcard certificates using a CAA resource record by the way.
Doesn't the hosting provider have vastly dangerous "permissions" already?