Thinking about this some more, it seems like the right fix is for Virtualmin to popular dovecot.conf and sni_map in the correct order so that the more specific domain is listed first.
Alternately, we could add an option to not use * at all, and instead expand to the full list of hostnames from the cert. But I prefer the idea of fixing the order in the config, as it will work even if the cert is re-issued.