I had an AppRunner instance with a custom domain that was stuck on "Pending certificate DNS validation” as it was trying to validate the ACM certificates.
Turns out that the UI to copy and paste the DNS validation entries can lead you astray.
The record names include the domain name already. So if you copy and paste from the AppRunner console into Route 53 you will end up with the domain name in the record twice.
Simply remove the domain before pasting. I chalk this up to a less-than-good user interface on the AppRunner side.