It's perhaps unfortunate that the Common Name is made the focal point. The X.509 certificates we use today weren't originally intended for the Internet at all, they're part of the X.500 system, a global directory which was never built. In that system the certificate would have one human readable "Common name" for the subject, such as "Steve Jobs" or "The White House" that would just be a convenient label for humans.
When X.509 was re-purposed for the Internet last century by the Netscape Corporation, the Common Name was re-used to write a DNS name, but that's a bit clumsy because it's a human readable field whereas DNS names are machine names, and also because a certificate is only supposed to have one Common Name, and it's annoying to need a separate certificate for each name. So when this was standardised as PKIX the DNS names are given their own way to be represented, as one or more Subject Alternative Names (SANs). Since lots of people already had certificates with DNS names filled in as a Common Name, this was grandfathered in, for a long time. But today common software like web browsers doesn't actually even glance at the Common Name, it's mostly there for humans to look at, your browser just checks that the certificate has a SAN matching the Fully Qualified Domain Name in the URL.
If you have some pretty old cranky software you might need to have separate certificates, one for each name, but if it's for web sites or most modern software it's up to you whether it feels appropriate to have one certificate or many and in a reverse proxy one certificate is likely easiest.