You need separate certificate for the root / naked domain.
SSL Certs are valid for the given wildcard depth. * , * .*, * .* .* etc.,
Based on the cert pattern you can notice it is
*.xyz.com not *xyz.com
In case if it matches to all strings in the prefix without a dot. It will match all of the domains like
axyz.com bxyz.com and xyz.com