A lot to unpack there, so let me walk through it:
- The shared SMTP space can be any of those domains. You don't have to account for all of them on the cert, just one of them that is an accepted domain in Office 365 and on-prem.
Mail will flow for all the accepted domains when they are added to the hybrid connector address space. You just to set it for one domain for the cert requirements - so the connectors can use forced TLS and verify the sending servers in the hybrid config - thats all. - Autodiscover is where you need the primary domains accounted for. Your existing on-prem certificate that clients use should already have these I assume. You can use srv records or wildcards, but typically SAN certs are used:
Example: autodiscover.domaina.com, autodiscover.domainB.com etc.... If those are all set on the cert, then you are good. You will need to keep pointing autodiscover in DNS to your internal Exchange Servers as it is now until all the mailboxes are moved to Office 365. - If you buy another domain and add is as accepted, you wont have to make any changes to any existing certs as long as the new domain is not set as a primary SMTP address for mailboxes. If so, then you would need to generate a new cert with autodiscover.newdomain.com ( or use SRV records) - assuming you still had those mailboxes on-prem. You wouldnt need to add any new domain to the cert for SMTP mail flow in hybrid.
Are you sure you have an Edge Role Server? It typically wont be part of the domain and in a DMZ. It wont be part of the internal Exchange org in the AD Forest.
More on SRV records:
https://supertekboy.com/2016/05/17/using-srv-records-for-autodiscover/