If there's a file in /etc/nginx/sites-enabled with non conf extensions like .bak files, certbot will add its well-known acme challenge configs to them. Which one it chooses seems to be random but because nginx only uses the files with .conf extensions, it causes certbot to fail with 403 errors.
This issue occurs running on ubuntu server 20.04 LTS using the apt installed certbot
certbot --version
certbot 0.40.0
This version of certbot is about 4 years old, unsupported, and significant changes have occured since then. For a bug report, it would be helpful if you could reproduce this issue on a more recent version.
The EFF recommends to install certbot via snap, which will get you a much more recent version to test with.
Please show the include line in your nginx configuration that covers that path.
Sadly, the nginx default config shows:
include /etc/nginx/sites-enabled/*;
[which would include ALL files in that folder - including the *.bak file(s)]
it makes sense. sites-enabled should only contain symlinks to sites-available. bak files should be in the latter.