The simplest way to overcome CGNAT is to avoid HTTP-01 authentication; Use DNS-01 authentication.
That requires the use of an ACME client that has a DNS plugin that can update the DNS zone.
That requires the DNS Service Provider (DSP) supports updates via API.
This, of course, will only get you a cert.
If you plan on using that cert to serve content to anyone on the Internet...
You will have to get much more creative; As there no way for the Internet to reach your IP (behind the CGNAT).