After my experiment with a few more SANs then usual, I received the advice that multiple wildcards should in theory work as well. In practise I could not get something like 'DNS:∗.∗.sven.stormbind.net' to be accepted by any decent browser. The other obstacle would be to find a CA to sign it for you. As far as I can tell everyone sticks to the wildcard definition given in the CAB BR.

Wildcard Certificate: A Certficiate containing an asterisk (*) in the left-most position of any of the
Subject Fully-Qualified Domain Names contained in the Certificate.

That said I could reduce the number of SANs from 1960 to 90 when I added a wildcard SAN per person. That's also a number small enough for the Internet Explorer to not fail during the handshake. I rejected that option initially because I thought that multiple wildcards on one certificate are not accepted by browsers. In practise it just seems to be a rarely available option provided on the market.