How to set Typo3 v10 site config for the equivalent of wildcards but with one exception?

Question

How can I set the Typo3 V10 Site Configuration to do this:

1. Everything incoming go to one site root page:
2. Except this one subdomain, which goes to a separate root page:

I have a web app based on Typo3 8.7 that I'm trying to upgrade to v10. In the 8.7 app, each customer organisation has a unique subdomain - school1.webapp.com, anotherschool.webapp.com etc., all pointing to the same typo3 site root page. Each time I need to create a new customer, all I have to do is to add a new sys_domain record and a custom plugin picks up the current sys_domain record as the means to separate customer data. A wildcard sys_domain record of *.webapp.com the picks up any misspellings and redirects to a separate page.

The one exception is auth.webapp.com which handles oauth authentication for all customers and goes to a different site root page.

This allows me to add new customers with just a simple form, which adds a new sys_domain record and job finished.

I now need to upgrade to Typo3 v10. I can detect the incoming subdomain to split between customer data easily enough, but I'm having problems with the new Site Configuration tool. All I need is to route auth.webapp.com to one site root page and everything else incoming to another.

My current setup seems to work for getting everything to route to the site root

 - Entry point /
 - Variant    Base:  https://%env(HTTP_HOST)%/
              Condition:    getenv("HTTP_HOST") == "*"

But if I create a second site entry for the auth.webapp.com domain, I just get an FE error of "Page Not Found - The page did not exist or was inaccessible. Reason: The requested page does not exist"

   Entry point https://auth.webapp.com

An entry point of /auth.webapp.com/ results in this subdomain going to the main customers entry point, even though the yaml entry says its pointed to the correct start point.

MAIN SITE - All incoming subdomains except  auth.webapp.com

base: /
baseVariants:
  -
    base: 'https://%env(HTTP_HOST)%/'
    condition: 'getenv("HTTP_HOST") == "*"'
errorHandling:
  -
    errorCode: 404
    errorHandler: Page
    errorContentSource: 't3://page?uid=13'
  -
    errorCode: 403
    errorHandler: Page
    errorContentSource: 't3://page?uid=1'
  -
    errorCode: 500
    errorHandler: Page
    errorContentSource: 't3://page?uid=14'
flux_content_types: ''
flux_page_templates: ''
languages:
  -
    title: English
    enabled: true
    base: /
    typo3Language: default
    locale: en_GB.UTF-8
    iso-639-1: en
    websiteTitle: 'Website Title Name'
    navigationTitle: ''
    hreflang: en-GB
    direction: ''
    flag: gb
    languageId: 0
rootPageId: 1
websiteTitle: 'Website Title Name'

AUTHENTICATION SITE - just auth.webapp.com

base: 'https://auth.webapp.com/'
flux_content_types: ''
flux_page_templates: ''
languages:
  -
    title: English
    enabled: true
    base: /
    typo3Language: default
    locale: en_GB.UTF-8
    iso-639-1: en
    websiteTitle: ''
    navigationTitle: ''
    hreflang: ''
    direction: ''
    flag: gb-eng
    languageId: 0
rootPageId: 11
websiteTitle: 'Website Title'

Answer 1

Jo's answer did the job. I'm posting a little more here to help others.

==============
.htaccess file
==============

<If "%{HTTP_HOST} != 'unique\.domain\.com'">
  SetEnv SPECIALNAME_ALLOW allow
</If>
<If "%{HTTP_HOST} == 'unique\.domain\.com'">
  SetEnv SPECIALNAME_ALLOW skip
</If>


==============
Typo3 SITE entry for the unique domain
==============
Entry Point -   https://unique.domain.com/
Variant Base - https://unique.domain.com/
Variant Condition - getenv("SPECIALNAME_ALLOW ") == "skip"


==============
Typo3 SITE entry for everything else
==============
Entry Point -   /
Variant Base - /
Variant Condition - getenv("SPECIALNAME_ALLOW ") == "allow"

Answer 2

You should make use of environment variables provided by your webserver in this case.

Setting i.e. AUTHENTICATED as an indicator for anything else than auth.webapp.com would help to filter the base variants for the common configuration condition and make sure that auth.webapp.com would be skipped there.