I thought you'd still need to pull a new cert
That is what the wildcard is doing there: the cert is created for subdomain.duckdns.org
Then, SWAG proxy it to any sub-subdomain you want/need.
At the very least you're going to have to restart the container to pick up the new subdomain.conf.
That is always mandatory when editing/creating new proxy-confs