Yes, you can implement a secure over-the-air exchange of the certificate pins.

Your app can download a signed list of pins from an unpinned domain. The signature of the data payload ensures the data's authenticity and can be validated on the client side using a built-in public key (baked into the mobile app).

You need to establish a process to keep the list of pins up-to-date when a new certificate is issued so that the app always downloads the correct pins. Also, as a pro tip, do not forget to add a challenge to the request from the mobile client to prevent replaying the response (the response should be a signed list of pins together with the challenge).

Here is an example tutorial on how to implement dynamic SSL pinning on iOS and Android:

https://developers.wultra.com/tutorials/posts/Dynamic-SSL-Pinning-for-Mobile-Apps/