I think baking in of the subscriber's username to part of the DNS name does some good stuff - a relying client can verify they're talking to *.rmc47.service.example, and the certificate issuing service can verify it only provides a cert to a device authenticated to that account.