We initially tried to ignore an IP in the CN, but it turned a bit hairy actually implementing it. So we went for a more restrictive option to allow launching.
An IP address can be put in a CN so it is a valid “request” for us. And we do use the CSR CN to choose what to put in the cert CN, for profiles which have a CN enabled.
Perhaps once we inevitably fully remove CN support we can just entirely ignore the CSR field, but until then this is a bit of a paper cut unfortunately.