Thanks for the reply @tall-librarian-49374 🙂 The problem is that we need to deploy the Azure Function binaries as well as the application resource, before creating the subscription. The way we've modelled this so far (and implemented in our pipelines) is as two quite separate processes, with separate pipelines: one for our Pulumified infrastructure (deploying an empty shell), and one for our application deployment into that shell.
I'm happy to accept that this separated approach is wrong, if that's the case. I guess I'm looking for some direction on good practices around placing Pulumi in our pipelines as much as to solve the issue. If the split we have is not good practice then of course we can fix it by combining the deployment pipelines; if it is accepted practice, then we need to find a way around this issue.