That is likely down to Certificate Pinning which is implemented on many services these days.
From the second link I posted:
"Many mobile devices and enterprise SaaS cloud applications use mutual authentication or certificate pinning to validate the ...
"Known-Key" decryption is for services that you own/manage such as decryption of inbound sessions to your internal web servers.The firewall uses the uploaded private key from the server to decrypt and re-encrypt the session.
"Resign" is for decrypti...
You will most likely find that an FQDN object for such a large scale web service will not work for your use-case. That's not the intended use.
If you configure an FQDN Object such as facebook.com, the FTD device will do a DNS lookup for facebook.com...