Hello @Evgeny , Welcome to the Microsoft Q&A forum,
As per my understanding from the question above, you have over 500 tenants (80-90 tenants per region) and each tenant can have 5 applications associated to it with their own distinct IP's and you are planning on using one wild card certificate. Your understanding here is correct Application gateway is a regional load balancer, so you are planning to have 80-90 tenants per application gateway with at the most 450 (90*5) backends.
Azure Application Gateway supports multiple site hosting as you can use wildcard characters like asterisk (*) and question mark (?) in the host name, and up to 5 host names per multi-site HTTP(S) listener. For example,
*.contoso.com. You can go through this documentation for additional details on Multi Site hosting. Now as per the Application Gateway Limitations you can have 100 active listeners that are routing traffic which works in your scenario as you will have 80-90 tenants per application gateway but there is also a limit of 100 Back-end address pools which can be a blocker in your scenario. As each app has a distinct IP address in your case and depending on how you will add them as your backend pool you might go over the limit of 100. The work around in this case will be to have more than one application gateways per region.
In addition to the links shared above you can also go through this Well-Architected Framework review - Azure Application Gateway v2 and also utilize Azure Advisor to get a recommendation on best practices to optimize your Azure deployments.
Hope this helps! Please let me know if you have any additional questions. Thank you!