Okay, here is the solution I landed on. This will vary based on the type of server you are on and how much you can do within your hosting account (or your hosting provider is willing to do for you).
I’m running Apache and in a WHM / cPanel hosting environment with a dedicated IP address and root access. The basic idea here should work for other environments but as usual YMMV…
SNI has to be in place and running, under Apache.
Each domain will need to be covered by an SSL certificate – the wildcard certificate for the base network will only cover subdomains and will not cover mapped domains.
I added my client’s domain name(s) as an “add-on domain” within the account for the base WP network domain, in cPanel. Note that this required enabling the setting "Allow Creation of Parked/Addon Domains that are not registered" within WHM. Otherwise cPanel will complain: the domain is already pointed to an IP address that does not appear to use DNS servers associated with this server.
I also made sure autoSSL was enabled in WHM for the account that owns the WP base network domain. This causes autoSSL to trigger the installation of an SSL certificate for any add-on domains. autoSSL seems to be based on LetsEncrypt, so if you can’t use cPanel autoSSL then you can probably just use LetsEncrypt instead.
I already had a purchased SSL wildcard certificate for the base network domain, but the nice thing is that autoSSL respects that certificate and will not attempt to replace it.
Finally, I made sure the mapped domain in WP admin (network->sites->edit site) had a siteURL setting that started with https:// — and of course made sure all content is being served via https so no mixed-content warnings in the browser. In my case I had to drop into phpMyAdmin and update the options table for the site directly. I have to investigate why the admin page didn’t “stick” when I made the change there.
So now my client’s site(s) are covered by an auto-renewing free SSL, and come up in the browser across all pages with the green padlock.