Thank you for your quick response.
I have done exactly what you suggest and I am using Azure for DNS. But this solution you propose becomes a problem when you the apex custom domain to the CDN endpoint. CDN will NOT provide the certificate for the apex domain (by design).
The only option that I have found is to create a certificate and set everything up in a common AD. However, I am not totally convinced that will work correctly either.
Being able to have CDN support licensing (shared or otherwise) for the apex domain on the endpoint would be a better solution. Having DNS handle the mapping of the apex to the appropriate submain would ideal.
I have seen postings where some people considered leaving Azure and moving to other hosting services where this is far simpler. However, that is not my intention, but I do really need this to work. Given the state of the documentation, very wordy and usually a out of date, I wanted to reach out and see if this problem had been solved any someone. Knowing that there is a working solution would help.
Thanks!