Simply: Yes.
For DV (domain validated) certificates the issuer will only check if the domain belongs to you. In your case bob.com. This is normally done by either asking you to put a specific html file on your webserver which the issuer tries to read or by sending you an email to a specific address like postmaster@bob.com. The last option is more common.
The issuer does not check wether it is a CNAME record or an A record type of your domain.
The more important question is if you are able to place your certificate on the webserver of susan.co.uk and if it supports SNI to present your certificate.
Some issuers also allow you to register for a (timely limited) free certificate. Maybe you try with one of these first before paying for a certificate which you can't use because of technical issues on the server side.

No, you won't be able to deploy an SSL certificate on the server which you don't have any access, to get an SSL certificate or to deploy an certificate you need complete access of the domain webserver.

You can get SSL/TLS certificate (Domain Validated) but you'll not be able to use it without having access to web server (in your case images.susane.co.uk).

So having access to target/real server which is hosting web app is vital.