It's quite common for cloud apps to generate subdomains for each client, for example:
And that is handled/grown automatically by the web app.
However the API callback url used when authenticating has to be entered against the app online at Sage and it has to match *exactly*, which is a bit inflexible here.
Another reason is the callback url may contain a dedicated action to perform on return from the authentication, e.g. https://client.myapp.com?action=downloadsagecustomers
Again unless entered against the app registered in Sage exactly, this won't pass.
My suggestion would be to simplify the matching to be on the callback domain only (e.g. if myapp.com found to be in the core url of the string, it can pass), which would allow other querystrings or subdomain prefixes to pass from the same domain too.