Sorry, that won't work. Sandstorm needs a new hostname every time you open a document (that's a lost of hostnames), and to provide any CSRF mitigation it needs to be a secret (where anything you list on the certificate immediately becomes public knowledge).

Be sure to read the FAQ in the doc:

https://docs.sandstorm.io/en/latest/administering/wildcard/