Got this working properly after a lot of trial and error, reviewing docs, and reading a lot of source code (thank goodness it's all open source).
The gist to pull this off is:
• create dns authorizations
• create one or more certificates from those authorizations
• Then use the certificates in a certificate map passed into a load balancer
◦ url maps
◦ http proxy which forwards to https
◦ https proxy
◦ public ip address and a couple of global forwarding rules
For the cdns, use a backing bucket and for cloudrun or cloudfunction use a backend service.
Finally, add the dns authorization cnames to your dns provider.