Thank you so much!
I did as you suggest, and they responded with:
I have allowed acme-protocol inbound traffic on the DC firewall, which I can see some blocking on the DC Palo
I ran certbot again, and voila! Success.
That was a tricky one. I really appreciate the help @MikeMcQ and @rg305 !