I just ran into this same problem. We are a SaaS data warehouse app that isn't multi-tenant specifically to silo customer data, security, ...
We are also using a unique sub-domain for each customer. They love our product, except for when they want to pull some data to self analyze in Excel. Right now they have to create a report definition, run the report, export to CSV then open in Excel.
We, specifically me, created a proof of concept Excel add-in that take the customer's domain name as configuration of the add-in and were able to make our api calls to do do all that behind the scenes and just load data directly into Excel. Demo was a hit, but then in development I ran into this brick wall. I am unable to do OAuth authentication because Excel won't let me load the authentication page from the customer's unique site! Not in the taskpane, not in a dialog, nada. I added the internal QA site to the manifest and then it worked.
Because OAuth requires a page to open on the end user's machine to do the authentication and authorize the app (add-in) I can't think of any way around this hard restriction (limitation) for Office add-in manifest AppDomain.
And it is completely NOT feasible to list all customers' domains in the manifest as we are adding one or more new ones nearly every week.
I briefly looked into Office.auth but the customers' would need their IT involved to setup stuff in their AAD/Entra to get it to function, and to use of it sounded to be way more complex than OAuth which has plenty of helper libraries and full examples.
Currently all trusted app domains must be listed fully qualified in the manifest, e.g. <AppDomain>https://customer1.acme-eu.com</AppDomain> <AppDomain>https://customer2.acme-eu.com</AppDomain> ...