I've been testing a tighter ruleset for my CA enabled MVs. It appears allowing 443 to *.vision.meraki.com is working (in addition to the other cloud destinations needed for mgmt, streaming proxy, etc).
They appear to also need port 80 to 142.250.0.0/15 which must be part of the broader port 80 to any suggested rule.
Ryan / Meraki SE
If you found this post helpful, please give it Kudos. If my answer solved your problem click Accept as Solution so others can benefit from it.