Last tested: Mar 30, 2021
Short answer: Looker may allow wildcards in the embed domain list, but browsers generally do not allow wildcards in domain names for browser security contexts.
Longer answer: The Looker allowlist will allow wildcards, the browser will not. However, in the context of any given page, you just have to ensure that the parent page passes the correct of the two origins that you are using for that specific page load (via the embed_domain parameter), then Looker will use that and it should work
In the admin UI we would put https://*.domain.com
In the embed URL we would put the actual page we are embedding on embeddedcontent.domain.com