This is commonly solved by using a central validation server (e.g. acme-validate.example.com) and having all your web server instances redirect requests for /.well-known/acme-challenge/* to this server (with a regular HTTP 301). The validation server could be running the client in standalone mode, and Let’s Encrypt will happily follow the redirect to that server.
Another option is to use a DNS-based challenge with one of the alternative clients. Lego, for example, comes with a plugin (or provider, as they call it) for Route 53.