You could always ask for wildcard for internal subdomain and use that instead so you will leak your internal FQDN but not individual hosts.

I'm pretty sure every bank will auto fail wildcard certs these days, at least the ones I've worked with.

Key loss on one of those is like a takeover of an entire chunk of hostnames. Really opens you up.