Sorry for the delay getting back with a response Andy.
It seems that there was a configuration error where the ServerName and ServerAlias were not set in the virtual host, allowing it to act as a default for any host request. This did not break the browsers as the certificate was recognised, but as you suggested Twitter is more strict.
The actual fix was to set the ServerName and ServerAlias, plus to ensure the setting in the virtual host block:
which is necessary when the server names are specified (as the default server setting is suddenly no longer valid).
Thanks for your help! I wish the validator had given me a hint what the actual issue was to save you time and effort guiding me.