I agree that's not proper domain fronting, but one point is that CDNs can and absolutely do restrict certain SNI/Host/sites to subsets of their IPs. It's not necessarily the case that if you can connect to one CDN node you can connect to all the sites that CDN serves.
Requested host does not match any Subject Alternative Names (SANs) on TLS certificate [d22c2cdf866a373f3648c0d7c30f9399e974d07c8c5417566ff11059a06f5b40] in use with this connection. Visit https://docs.fastly.com/en/guides/common-400-errors#error-42... for more information.
But I'm just doing this from memory, it's possible I did something else a years ago.
