SWAG dns validation with a challenge alias

Good day!

I am trying to get a wildcard certificate for the domain I serve with swag using dns validation. Now, for security reasons, I do not want to save API credentials that would give full control over my domain apex DNS records onto an internet-facing web server.

One interesting approach I came upon is to delegate the acme challenge to a separate dns zone or subdomain, and use API keys that can only alter records in that specific zone/subdomain.

I use OVH and their API does not seem to support restricting API credentials to a subdomain; however, I could register a $3 .ovh domain to segregate keys into another domain.

I am trying to issue a certificate for test.example.com by delegating the challenge to acme.ovh, as follows:

test                        IN CNAME  example.com.
_acme-challenge.test        IN CNAME  acme.ovh.

I also have API keys under /config/dns-conf/ovh.ini with the following permissions:

GET /domain/zone/
GET /domain/zone/acme.oh/*
PUT /domain/zone/acme.ovh/*
POST /domain/zone/acme.ovh/*
DELETE /domain/zone/acme.ovh/*

My compose file is such as:

      - URL=test.example.com
      - VALIDATION=dns
      - SUBDOMAINS=wildcard
      - DNSPLUGIN=ovh
      - PROPAGATION=300

Unfortunately, no luck so far. This is what I am getting in the logs:

swag-test  | Generating new certificate
swag-test  | Saving debug log to /var/log/letsencrypt/letsencrypt.log
swag-test  | Requesting a certificate for test.example.com and *.test.example.com
swag-test  | Error determining zone identifier for example.com: 403 Client Error: Forbidden for url: https://eu.api.ovh.com/1.0/domain/zone/example.com/status. (Are your Application Key and Consumer Key values correct?)

It seems like certbot is trying to update the wrong dns zone. Anyone has a similar setup working?