CP - DP authentication via PKI mode

We are using Kong OSS in Hybrid mode. Where we have multiple data planes connecting to Control Plane via PKI mode.

In PKI mode, each DP can have different certificate but issued from the same CA.
We issue these certificates from a shared CA i.e. other teams can also issue the certificates from the same CA. This seems like a risk because any team can present the certificate and authenticate to the Control Plane and fetch the configuration. These configuration may contain some sensitive information
and having a dedicated CA for our team requires too much management effort.

Just checking if the CP and DP certificates are from same CA seems too basic for authentication.

Is there a way where we can use shared CA by checking some extra parameters in the certificates during CP authentication, so that other teams issuing certs from same CA aren’t able to authenticate to our CP.