I do appreciate everyone's suggestions and help. Here's what I ended up doing.
FreeDNS via freedns.afraid.org as a DDNS Subdomain
Domain + Subdomain via hosting provider
Hosted Subdomain CNAME to the DDNS Subdomain
Setup DDNS using Asustor > Settings > Manual Connect and setting up a FreeDNS account and input the info it needed. Last DDNS update keeps coming back as Failure but FreeDNS keeps updating my IP so it seems to work, but for whatever reason Asustor doesn't think it's working.
Used openssl + certbot CLI tools to generate a certificate that covers all 3 cases: Hosted Subdomain, Hosted Domain, DDNS Subdomain. Looks like this:
certbot certonly --key-type rsa --rsa-key-size 2048 --manual --preferred-challenges dns -d hosteddomain.example -d subdomain.hosteddomain.example -d ddns.domain.example
This will set up verification codes that you can create TXT records for on the Hosted Domain and the DDNS Domain. I had to contact FreeDNS to get access to add text records with underscores but they were cool and quick to reply. They look like this:
_acme-challenge.hosteddomain.example
8suZTccF9ZpB0fnBr9mgEEXTcX7cqSkDXiBzucTcOfw
Once the certificates are in place I uploaded them to my Hosted Domain and verified that my Hosted Domain was showing the SSL certificate / lock at HTTPS.
Next I logged into my Asustor and under Settings > Certificate Manager I added my SSL Certificates and assigned it as the primary certificate for the NAS.
Finally, I needed to enable SSL on my Jellyfin, which required a PFX file.
openssl pkcs12 --export -out "Z:\Path\To\PFXOutput\jellyfin.pfx" -inkey "Z:\Path\To\Cert\jellyfin.key" -in "Z:\Path\To\Cert\jellyfin.crt"
Under Jellyfin > Dashboard > Networking I enable HTTPS, Require HTTPS, give it the path to the PFX file and the PFX password, and Allow remote connections to the server. I disabled port forwarding from Jellyfin and had to jump into my router to remove the UPnP records it had previously added. All port numbers are default to Jellyfin and no URLs in the Server Address Settings.
Important to take note of the Jellyfin ports here for both HTTP and HTTPS requests. Important note to restart Jellyfin after this takes effect. Asustor has an App Central where under Installed Apps you can just turn it off and back on again.
Finally, I added Port Forwarding to my router so that the 443 looks for the Jellyfin HTTPS port and 80 looks for the Jellyfin HTTP port at my NAS IP.
Now I can access HTTPS subdomain.domain.example and land at my Dockered Jellyfin app.