But the problem is that the DNS entry to authorize *.example.com and example.com are both _acme-challenge.example.com. Even by setting the TTL to the minimum allowed by my DNS provider (30s) it is challenging to ensure that the authorization for one will not be contaminated by the authorization for the other (I just ran into the problem myself).
At the very least, when requesting a wildcard certificate, shouldn’t the authorization for *.example.com also cover example.com given that they check the same DNS entry anyway? That would allow to create an order for both *.example.com and example.com, only require to validate once _acme-challenge.example.com, and then process a certificate request for both *.example.com and example.com.