Thank you for reaching out.
Based on your questions above.
For the certificate present in the service on AKS, I will need to add the Private Endpoint url as a SAN, correct? Or should we be using the DNS name of the service? Since the Front Door will use the private endpoint, I think it makes sense to add that url to the subject name.
You need to add the Host Name configured when you added your Origin to Azure Front Door in this step here. The host name is used for SNI (SSL negotiation) and should match your server-side certificate.
Hope this helps! Please let me know if you have any additional questions. Thank you!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.