Christopher: I see what you mean now. And you are correct that the allow list has the highest priority. Are you attempting a whitelist only policy?
You can add specific CNAMEs to the block list without blocking the entire root. Ex: add photos-e.ak.fbcdn.net
to the blocklist but do not add fbcdn.net
to the allowlist.
This is a challenging situation. I'll re-open the request and hope to learn more about your and other's use case.