Update: you can have ACM certs for the same domain in different accounts/regions, they just need to be verified by the owner. So I can create a cert during the provisioning of each account, trigger an event to the base account to handle the DNS verification, then use that domain on APIGWs in that account by referencing the cert created in that account