App Service behind Front Door: ARRAffinity cookie/SSL Binding with TXT only

Hi 

We have App Services sitting behind Azure Front Door serving a custom domain/host (say app.somedomain.com). Following features/settings

• We use Azure managed certificates on Front Door. 
• PrivateLink to the App Services
• ARRAffinity is ON (currently needed)
• We use the X-Forwarded-Host header value to ensure the app software knows what domain it is actually serving.

Problem:  ARRAffinity cookies are not honouring the X-Forwarded-Host header

• cookies are set for the app service azurewebsites.net hostname which is invalid. 
• If we want to set the Origin Host Header in AFD to the domain name need TLS to all work
  BUT:
• Can get the domain hostname partially verified with a TXT BUT then cannot add a managed certificate to support the custom domain as while we have added a TXT record with the asuid prefix the CNAME mapping is to AFD so cannot add it to the app service.
• We don't have the facility to BYOC (bring our own cert).

So either:

• How to get the app service to have a custom domain binding and managed certificate without the CNAME entry
  OR
• How to make the ARRAffinity cookies be set for the front end domain (or rewrite the Set-Cookie header but i think this is beyond AFD's Header rewrite capability (overwrite, delete, append - can you overwrite with the original value but with a change to it?).

Many thanks in advance

James Denning