I have this code snippet in place:

var certificateName = ResourceName("certificate");
        var managedCertificate = new Certificate(certificateName, new CertificateArgs
        {
            Location = location,
            ResourceGroupName = resourceGroup.Name,
            HostNames = new [] { customDomainName },
            CanonicalName = customDomainName,
            ServerFarmId = appService.ServerFarmId!
        });

        var customDomainBindingName = ResourceName("customDomainBinding");
        var customHostNameBinding = new WebAppHostNameBinding(customDomainBindingName, new WebAppHostNameBindingArgs
        {
            Name = appService.Name,
            ResourceGroupName = resourceGroup.Name,
            SiteName = appService.Name,
            HostName = customDomainName,
            SslState = SslState.SniEnabled,
            Thumbprint = managedCertificate.Thumbprint
        });

But i get the following error when running pulumi up: error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="Properties.CanonicalName is invalid. Certificate creation requires hostname XXX added to an App Service in the serverFarm /subscriptions/XXX/resourceGroups/XXX/providers/Microsoft.Web/serverfarms/XXX." It works only if I first deploy the custom domain binding without the certificate, and then add the certificate in a new run...

It's a known problem – there's a cyclic dependency in the Azure API itself so this isn't possible in a single run without some kind of hacks. Cert creation depends on custom domain to be deployed and to update the SSL binding on the custom domain it needs to know the cert thumbprint.

Thank you for the detailed info!