That’s not supported. Let’s Encrypt only issues certificates containing SubjectAlternativeNames for DNS names (and potentially IP addresses in the future).
If SMTP replication is used, the certificate Subject Alternative Name section must also contain the globally unique identifier (GUID) of the domain controller object in the directory. For example:
Other Name: 22.214.171.124.4.1.311.25.1 = ac 4b 29 06 aa d6 5d 4f a9 9c 4c bc b0 6a 65 d9 DNS
I'm not very familiar with Active Directory, but smartcards (in short) can store a private key which can be used with a certificate in various protocols. TLS client certs with private keys on smartcards are often used for things like employee VPN logins. One of the reasons the ACME protocol takes a CSR is for interoperability with other systems (like smartcard software) which can produce a CSR for the private key on the device.