Sorry, only the first post had loaded. Odd.
Can your customers CNAME/A a subdomain onto your platform, instead of using your subdomain?
In terms of NewOrders… given the isolation levels you have, you should probably assign a new account/account-key to each customer, which would eliminate that concern.
Some people have purchased multiple domains in the past, pre-provision the subdomains and certificates, and then allocate those to customers instead of on-demand.
In any event…
- There is a rate-limit exception form, and you may qualify for it. Personally I would pursue this option, because it sounds like you need both an Account and Domain exception
- There is also the public-suffix list, which may also be worth looking into.