Use the second option for domain validation and add a _acme-challenge CNAME example.com.XyZ2.flydns.net. instead the first option of adding a AAAA record.
See the second option in the output of flyctl certs check ... for the exact string to add as CNAME.
This works for me with a wildcard domain “*.example.ch”. Validation may take a few minutes. In one case, it took 10+ min until a domain was signed after I had added the _acme-challenge CNAME... .