Your question seems related to this discussion from earlier (and GH issue). You basically need a way to tell Caddy to manage an equivalent wildcard certificate for a domain, rather than a certificate for that domain itself. Caddy can’t tell the difference otherwise. If you give it a domain a.b.tld and *.b.tld, it doesn’t know that it’s not supposed to manage a separate certificate for a.b.tld – since that is a matter of key management, which we don’t go into the business of presuming without explicit user consent.
Thing is, the other guy wants example.com to get a cert for *.example.com, but you want sub.example.com to get a cert for *.example.com, which is different logic.
Actually, Caddy should already be seeing that wildcard certificate and not activating auto-HTTPS for the new host in the matcher, but it can only do that if the wildcard cert has been loaded already. Since the wildcard is also in a host matcher, no certificate for it has been loaded… so it doesn’t know to skip it.
I guess in the meantime you could use the skip property: JSON Config Structure - Caddy Documentation - to skip the non-wildcard subdomain… maybe?