There is currently no good solution for the "CNAME at apex" use case.
It wouldn't have been a problem if web browsers did support DNS SRV records but they never did and never will
Various DNS providers offer various kludges called sometimes ANAME or APEXCNAME or ALIAS or whatever. The important point is that nothing is standard here. It will appear in some way on their UI/API, it can't be copied as is to another provider (if you change) and of course it doesn't appear at all on the DNS resolution side, as they will somehow (either dynamically when the requests come, or through some caches filled in advance) generate A and AAAA replies for the apex based on the configuration.
Technically it does involve having basically an authoritative nameserver also being a little recursive because at some points it does need to resolve the name you used in your "fake" CNAME to some IP address.
Which is why the future DNS records called SVCB or HTTPS will finally solve that. They are not fully standardized yet as the IETF RFC is still being written, but they already exist in the DNS with allocated resource record types, and various companies (Apple, Google, CloudFlare to name a few) are already using them.
Anyway, I recommend investing time only around this future foolproof standard solution (so finding DNS providers supporting them, and watching how/when browsers will use them, they "all" said they will do), and not invest time into current kludges as they are inferior, not standard, and bound to disappear in the apparition of the above new DNS records.
