I just attempted a deployment without configuring the CNAME record to point to the <subdomain>.<region>.cloudapp.azure.com endpoint and it failed on the ArcGIS Server deployment process. Having the CNAME available beforehand is therefore a necessary step and not doing so will prevent a successful deployment.
Due to the way Azure Front Door routes traffic, and the requirements of Portal to only support a single DNS, I think the Cloud Builder application is not going to be compatible with your intended use case. With that being said, you may be able to break the federation of the deployed site and update the URLs to use the correct Front Door URL while still maintaining a trusted endpoint on the Application Gateway, but the header rules on the Application Gateway would have to be reconfigured accordingly as well. Modifications of that level would prevent the site from being managed/upgraded by the Cloud Builder application in the future, so it seems like a catch 22.
Thinking out loud, is there a method by which the Front Door configuration can resolve DNS differently than via public DNS? If that is the case, the Front Door service could resolve to the Application Gateway while clients would resolve to the Front Door service for the same target host and the same SSL certificate could be used for both.
-- Chris Pawlyszyn