But you probably would want to allow only a very small number of CAs to do that.
What can you do?
For a while, we tried dynamic HTTP Public Key Pinning (HPKP, via the Public-Key-Pins header).
But, TOFU issues aside, that was a big footgun, so we deprecated that swiftly.
Except, we didn't: _static_ HPKP is still very much alive, even if your company long forgot they had submitted pins several years ago:
https://source.chromium.org/chromium/chromium/src/+/main:net/http/transport_security_state_static.json