You do not need to enable global access for a Let's Encrypt challenge to succeed. You can switch to DNS-based validation instead of HTTP, or allow-list only the .well-known/acme-challenge path globally. You have plenty of options available if you don't want to allow global access.
(Personally, I don't understand why people think geoblocking protects them. It's not like an attacker can't buy a VPS with a US IP to bypass your geoblock. Those "hackers" you're seeing are stupid, automated scanners that pose no real threat to any reasonably secured website. The real threats are all capable of bypassing your geoblock)