Due to how CNAME records work, any subdomain using a Vercel CNAME automatically inherits Vercel's predefined CAA records, preventing custom CAA at that level.
Vercel cannot modify CAA on its CNAME targets or add your custom records there.
Vercel's CNAME CAA settings are optimised for seamless Vercel certificate issuance across custom domains. Non-Enterprise users can't upload custom SSL certs anyway, so review your certificate's purpose before altering CAA. For certificates on other platforms (e.g., AWS), simply repoint the CNAME to that provider to bypass Vercel's CAA.
If using multiple hosts, proxies, or UCC/SAN certs with a SAN on Vercel CNAME, replace the CNAME with an A record (IPs shown in Project Domains) to enable custom CAA. Then add CAA at the subdomain or apex level (or both). See Can I use A records with Vercel?.
NOTE: Any custom CAA must include 0 issue "letsencrypt.org" for Vercel cert issuance.