Usually applications cannot reach the certificate once it has been started. It's common to start an application as root so it can read the root owned private key and afterwards drop the privileges to a much lesser privileged user.
Correct.
Those you've read in the docs.
I don't know what you mean by this. It's quite common to have port 80 and 443 open. Look at all those websites out there using them. Or what do you mean by "protecting" and "gatekeeping" exactly?
I don't think you have to "lock down" anything to begin with, but my bet is to follow the API Announcements category. That way you'll get an email on the address associated with your Community account when a new thread is opened there.
You could use CAA RRs for that. See Enabling ACME CAA Account and Method Binding for more info about that.
I'm not 100 % sure, but I'm not aware of any free CA revoking duplicate certs. See ACME CA Comparison - Posh-ACME for a comparison of ACME CAs.
No, cross-signing is not an option for end users. Only for entities with lots of money willing to set up their own sub-CA for 
Personally I think you're overthinking this 