Those two conditions are triggered Subject field in certificate, both. However, if certificate has Subject Alternative Name (SAN) in inside, server.certificate.hostname hits the top of the DNS name.
For example, attached certificate here,
server.certificate.subject = ".vo.msecnd.net" allow
Both policy rule should match and allow for accessing to https://az216772.vo.msecnd.net