I finally figured this out.
Apparently, on Ubuntu, Chrome looks to an obscure and completely non-obvious location for TLS certificate authorization overrides. Basically, the trick here was to determine how to replicate trusting a self-signed certificate in the GUI version of Chrome, but via the CLI.
(See this helpful article for more information: https://leehblue.com/add-self-signed-ssl-google-chrome-ubuntu-16-04/ )
For self-signed certificates, such as those that Homestead generates during provisioning, it is necessary to add them to this arcane sqlite database in the effective user's (in this case, the vagrant user's) Home directory before Chrome (and in turn, the standalone chromedriver) will trust the certificates.
Chromium's (and therefore Chrome's) certificate handling is described in moderate detail at https://chromium.googlesource.com/chromium/src/+/lkcr/docs/linux_cert_management.md .
Firstly, certutil must be installed:
$ sudo apt-get install libnss3-tools
The following commands must be executed as the vagrant user, assuming a Homestead environment (otherwise, as whomever the chromedriver will be running).
On a new system, it's possible that the certificate database does not yet exist, in which case it is necessary to create it before performing the subsequent steps:
$ mkdir -p $HOME/.pki/nssdb
$ certutil -N -d $HOME/.pki/nssdb --empty-password
(the --empty-password switch is necessary to automate this process)
To add a given certificate:
$ certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n /etc/nginx/ssl/site.example.com.crt -i /etc/nginx/ssl/site.example.com.crt
To confirm the addition (list all "accepted" overrides):
$ certutil -d sql:$HOME/.pki/nssdb -L
And if for any reason one desires to remove an override:
$ certutil -D -d sql:$HOME/.pki/nssdb -n /etc/nginx/ssl/site.example.com.crt
Now, my tests pass when the APP_URL is https://site.example.com!
In your case, given that you have a valid wildcard that is not self-signed, it must be that your certificate does not contain the SubjectAltName field, which is now required as of Chrome 58, or you're missing an intermediate CA or two in the trust chain (can occur with less common CAs).
If your certificate does include SubjectAltName, then you should use curl from the CLI in Homestead (or whatever environment you're running Dusk from within) to determine which intermediate CA certificate is missing from the trust chain.