Wildcard certificates not being used when issued

I am using the following docker compose file to deploy traefik on a swarm cluster.

version: "3.7"

services:
  traefik:
    image: traefik:v2.1
    command:
      - "--api.dashboard=true"
      - "--accesslog=true"
      - "--log.level=INFO"
      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
      - "--providers.docker.swarmMode=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=traefik-public"
      - "--providers.file.watch=true"
      - "--providers.file.filename=/file_provider.yml"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.letsencrypt.acme.dnsChallenge.provider=cloudflare"
      - "--certificatesresolvers.letsencrypt.acme.dnsChallenge.delayBeforeCheck=15"
      - "--certificatesresolvers.letsencrypt.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53"
      - "--certificatesresolvers.letsencrypt.acme.email=user@domain.tld"
      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
    ports:
      - 80:80
      - 443:443
    volumes:
      - traefik-certificates:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - traefik-public
    environment:
      - "CF_API_EMAIL=user@domain.tld"
      - "CF_API_KEY=api-key"
    deploy:
      placement:
        constraints:
          - node.role == manager
      labels:
        - "traefik.enable=true"
        - "traefik.docker.lbswarm=true"
        - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
        - "traefik.http.routers.http-catchall.entrypoints=web"
        - "traefik.http.routers.http-catchall.middlewares=redirect-to-https@docker"
        - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
        - "traefik.http.routers.api.tls.certresolver=letsencrypt"
        - "traefik.http.routers.api.tls.domains[0].main=*.domain.tld"
        - "traefik.http.routers.api.tls.domains[0].sans=domain.tld"
        - "traefik.http.routers.api.rule=Host(`management.domain.tld`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
        - "traefik.http.routers.api.service=api@internal"
        - "traefik.http.services.api.loadbalancer.server.port=8080"
    configs:
      - file_provider.yml

volumes:
  traefik-certificates:

configs:
  file_provider.yml:
    file: /home/access/docker/traefik-provider.yml

networks:
  traefik-public:
    external: true

I am trying to switch to wildcard certificates over individual certificates for each subdomain. The wildcard certificate is issued successfully for *.domain.tld and domain.tld, but a certificate is also issued for management.domain.tld from the host rule definition. When I navigate to the site, the TLS certificate issued is for management.domain.tld, not *.domain.tld. How do I get Traefik to use the wildcard certificate instead of the one from the host rule?