I'm sure this is something I should already understand, but I'm finding myself confused.

The configs in play add up to this:

NameVirtualHost *:80
Listen 80

<VirtualHost *:80>
    <Directory />
        Options FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
    </Directory>
</VirtualHost>

<VirtualHost *:80>
    ServerAdmin [email protected]
    ServerName domain.tld
    ServerAlias *.domain.tld
    DocumentRoot /var/www/domain.tld
    <Directory /var/www/domain.tld>
        Options -Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

DNS is working correctly.

The issue is, every variant of http://*.domain.tld/ (including http://domain.tld/) works correctly, except http://www.domain.tld/ which throws a 403.

The logs state: client denied by server configuration: /etc/apache2/htdocs

If I remove the first VirtualHost block from play, everything works as expected including http://www.domain.tld. This leads me to believe that for some reason, Apache is not considering www.domain.tld to match the second VirtualHost block, and is thereby falling back to deny all.

This seems wrong. Shouldn't the second block match www.domain.tld?

I've been able to resolve this, but I still don't understand why. In my original configs, I was using the real ip address of the server instead of *. Switching all instances to * as shown above made everything work as expected.

Does this have something to do with the way browsers request resources?