Thanks for asking question! You may want to know that the free certificate is issued by DigiCert. For some top-level domains, you must explicitly allow DigiCert as a certificate issuer by creating a CAA domain record with the value: 0 issue digicert.com
To add to: The free App Service Managed Certificate is still in Preview and there are few limitations to it:
• Does not support wildcard certificates.
• Does not support naked domains.
• Is not exportable.
• Is not supported on App Service Environment (ASE)
• Does not support A records. For example, automatic renewal doesn't work with A records.
You may refer to below official document link might be helpful:
https://azure.github.io/AppService/2019/11/04/Announcing-Managed-Certificates.html
Please let us know if you have further question on this.