Azure – Redirect apex domain HTTPS requests without manually provisioning a certificate

I'm trying to host a static website on Azure storage with a custom domain and HTTPS.

I have created a storage account, uploaded my files, and enabled static site hosting. The site works nicely from the <foo>.web.core.windows.net domain provided by Azure.

I have created a CDN endpoint for the site with the origin hostname set to the primary endpoint provided by Azure, added a custom domain for my www subdomain, provisioned a CDN-managed certificate for it, and added a rule to redirect non-HTTPS requests to https://www.<my-domain>.com. This also works well.

Now I want my apex domain to redirect to my www subdomain.

CNAMEs aren't an option, but I have added an alias A record for @ pointing to my CDN endpoint and added the apex domain as a custom domain to the CDN.

Requests to http://<my-domain>.com redirect nicely, but requests to https://<my-domain>.com understandably give a scary SSL_ERROR_BAD_CERT_DOMAIN error. Azure does not support CDN-managed certificate for apex domains:

CDN-managed certificates are not available for root or apex domains. If your Azure CDN custom domain is a root or apex domain, you must use the Bring your own certificate feature.

I don't want to actually host anything on my apex domain—I just want to redirect it to my www subdomain. Manually provisioning (and maintaining) a certificate seems like a lot of overhead.

The domain registrar, GoDaddy, has a "forwarding" feature that did what I want, but I prefer to keep my DNS hosted with Azure.

Is there a way to redirect apex domain HTTPS requests to my www subdomain without manually provisioning a certificate for my apex domain or moving my DNS out of Azure?