You can theoretically use subdomain.device.tailnet.ts.net for DNS but not for HTTPS
admin@blueberrypi:~ $ sudo tailscale cert subdomain.blueberrypi.tailnet-name.ts.net
500 Internal Server Error: invalid domain "subdomain.blueberrypi.tailnet-name.ts.net"; must be one of ["blueberrypi.tailnet-name.ts.net"]
admin@blueberrypi:~ $ sudo tailscale cert *.blueberrypi.tailnet-name.ts.net
500 Internal Server Error: invalid domain "*.blueberrypi.tailnet-name.ts.net"; must be one of ["blueberrypi.tailnet-name.ts.net"]