Your debug log shows your custom lists to be correctly configured, enabled adnd assigned to a custom group, including two clients using that group.
Probably unrelated to your observation, but I noticed that both of those clients are on a subnet (each) different from that of your Pi-hole (2 192.168.x.x vs. 10.x.x.x).
Your observation is not related to CNAMEs, but to the order of precedence for matching allowed and blocked domains:
(emphasis mine)
As you have defined a regex block:
That regex block trumps your subscribed allowlist, showing in the log:
Your observation matches the expected behaviour.
Note that regular allowed domains will trump any blacklist, so you can keep using your existing definitions.