Putting usernames in certificates seems fragile. While getting a certificate usually takes seconds, it could take days, so you are creating a hard dependency on Let's Encrypt availability in your create user workflow.
Certificates are also public information and are logged forever in CT, so you might not be able to put usernames in certificates for data privacy reasons.
I don't think so. The BRs allows using example.com as the Authorization Domain Name for *.<user>.example.com