And DANE... well. For starters it requires DNSSEC, which is like asking for Linux on the Desktop, or generally available IPv6, so... yeah.
But sure, let's use the DNS, where we have "Certificate Authority Authorization" or CAA records, specified in RFC8659, and which CAs are required to honor via CA/B Forum Ballot 187 since 2017.
CAA records let you specify which CAs you want to authorize to issue certificates for the given domain.
This is not perfect: CNAMEs get messy quickly, and you actually have to have your act together and know which domains are used where and how, e.g., with respect to third-parties you CNAME or delegate to.