The validation has finally completed successfully. So, the issue has resolved.
I think the issue may have been self-made. When I setup the Classic CDN, rather usefully, it let me know that there was a problem because I'd implemented CAA records for our DNS domain. They did not include Digicert. So, I fixed that issue and that allowed Classic CDN to continue its setup. I did wonder if it might have been the same showstopper for the Front Door setup... but there was no communication of that to me through the Portal.
So, if there are no coincidences in life, fixing up my CAA records also allowed the Front Door CDN to complete its DNS validation. Microsoft needs to change Front Door so that it communicates this as early as possible. We know they can do it because Classic CDN does it.
Nice to see them honour CAA records. Still no UI for them. So, I assume they're still not popular.