As you’ve probably discovered (or you can go look now with any certificate inspecting tool of your choice, many web browsers have something built in), ordinarily certificates have a list of names inside them, for example a certificate might say it’s for
This certificate will be suitable for a service offering any (or all) of those names, but it would cause errors or some warning to the end user if you tried to use it for a service named, say, www.example.org because that’s not on the list.
Wildcard certificates say something like *.example.com as a name. The asterisk matches any one DNS label at the left hand of the name, that’s basically any part of the name that doesn’t have a dot in it. So *.example.com would match www.example.com, and mail.example.com and cat-photos.example.com but not www.example.org, or example.com (not enough dots) or say, database.internal.example.com (too many dots). This use of an asterisk is called a “wildcard”
However, you will still need to configure (web) servers for any new names and set them to present the certificate, it is possible that the Certbot software will be updated to help with this, but probably if you’re creating new subdomains on the fly you’ll need to arrange as part of that to use HTTPS for them, and to present the Wildcard certificate to visitors as proof you control these new names.