You should be getting 4 requests per challenge URL (subject to change), all from different IP addresses. The others come from AWS at the moment, but that’s also subject to change.
You’re not whitelisting IPs, are you?
Reviewing this might help: ACME v1/v2: Validating challenges from multiple network vantage points
Could you also show the validation error from Certbot? Is it a timeout, wrong content, etc?