@markylaing maybe able to share some insights here.
But my understanding is that LXD always uses mutual TLS for intra cluster communications and doesn’t validate based on domain/IP.
So that suggests one or more of your cluster members are missing valid entries in the internal trust store.
I think we will need more details on what you did in this step:
I replaced them with valid wildcard CA-signed certificates (*.example.com) in /var/snap/lxd/common/lxd/
Question: Is this related to the fact the cluster wont start up now? Had you previously restarted the cluster and it was working before the node failed that was forcefully removed?
As @tomp suggests, this is the likely cause. In a clustered setup, replacing server.{crt,key} is not supported. These self-signed certificates are used for internal traffic only, so there should be no reason to change them. These certificates also secure the DQLite connection, so if they are not trusted, DQLite (and therefore LXD) will break.
Can you please let us know what your reason was for doing this? There may be other features in LXD that help you achieve the behaviour you want.